Web Dispatcher SSL query

Our web disp URL does not work after implementing SSL. (when we access the URL, it's not reachable)
In the error logs, I find:
ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "E:\usr\sap\WDE\W00\sec\SSP_WDE_PSE_20090922.pse
In [this msg (scroll to bottom)|SAP Web Dispatcher SSL Error;, I saw that the PIN should be set for the user that starts up the service (SAPServiceWDE) as well.
Now my query is:
1. I have set the pse pin using WDEADM. How can I set the pse pin again for SAPServiceWDE ?
2. Will this command (after logging in to the OS with SAPServiceWDE) work:
sapgenpse get_pse -noreq -p <PSE path> -x <existing PSE PIN> [DN]
3. Will I have to regenerate the CSR and get a response again?
Note: We have Windows OS

2 --- Yes, it will work
3 --- not reqd

Similar Messages

Web dispatcher SSL error

Hi, All
I am using webdispatcher as reverse proxy for SSL terminiation. let me explain my steps.
to create pse
1-get request file
sapgenpse get_pse u2013s2048 -p C:\usr\sap\FW2\W00\sec\SAPSSLS.pse -r C:\usr\sap\FW2\W00\sec\SAPSSLS.req "CN=portal.xxx.com, OU=xxx company"
I got request file.
2-import
sapgenpse import_own_cert -p C:\usr\sap\FW2\W00\sec\SAPSSLS.pse -c C:\usr\sap\FW2\W00\sec\reponse.cer -r C:\usr\sap\FW2\W00\sec\subroot.cer -r C:\usr\sap\FW2\W00\sec\root.cer -x 12345
CA-Response successfully import int0 PSE
3-create credentials
sapgenpse seclogin -p C:\usr\sap\FW2\W00\SAPSSLS.pse -x 12345 -O SAPServiceFW2
Added SSO-credentials for PSE "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse
4-I also check permission of SAPSSLS.pse for SAPServiceFW2 and fw2adm (win 2008 )
5- sapcrypto installed
here profile parameters
wdisp/shm_attach_mode = 6
rdisp/mshost = xxxxx
ms/http_port = 8101
DIR_INSTANCE = C:\usr\sap\FW2\W00
ssl/ssl_lib = C:\usr\sap\FW2\W00\sec\sapcrypto.dll
ssl/server_pse = C:\usr\sap\FW2\W00\sec\SAPSSLS.pse
wdisp/auto_refresh = 120
wdisp/max_servers = 100
icm/server_port_0 = PROT=HTTPS, PORT=443
icm/server_port_1 = PROT=HTTP, PORT=80
icm/HTTP/admin_0 = PREFIX=/sap(wdisp/admin,DOCROOT=./admin
wdisp/ssl_encrypt = 0
wdisp/add_client_protocol_header = true
icm/HTTPS/verify_client = 0
icm/HTTPS/trust_client_with_issuer = *
icm/HTTPS/trust_client_with_subject = *
ssf/name = SAPSECULIB
ssf/ssfapi_lib = C:\usr\sap\FW2\W00\sec\sapcrypto.dll
sec/libsapsecu = C:\usr\sap\FW2\W00\sec\sapcrypto.dll
here dev_webdisp
trc file: "dev_webdisp", trc level: 1, release: "700"
sysno 00
sid FW2
systemid 562 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 250
intno 20050900
make: multithreaded, ASCII, 64 bit, optimized
pid 3612
[Thr 3500] started security log to file dev_icm_sec
[Thr 3500] SAP Web Dispatcher running on: webdisp.com
[Thr 3500] MtxInit: 30001 0 2
[Thr 3500] IcmInit: listening to admin port: 65000
[Thr 3500] IcrCoreInitSessionTable: Session table initialized
[Thr 3896] =================================================
[Thr 3896] = SSL Initialization on PC with Windows NT
[Thr 3896] = (700_REL,May 3 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 3896] profile param "ssl/ssl_lib" = "C:\usr\sap\FW2\W00\sec\sapcrypto.dll"
 resulting Filename = "C:\usr\sap\FW2\W00\sec\sapcrypto.dll"
[Thr 3896] profile param "ssl/server_pse" = "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
 resulting Filename = "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
[Thr 3896] = found SAPCRYPTOLIB 5.5.5C pl30 (Jul 23 2010) MT-safe
[Thr 3896] = current UserID: FRIK\SapServiceFW2
[Thr 3896] = found SECUDIR environment variable
[Thr 3896] = using SECUDIR=C:\usr\sap\FW2\W00\sec
[Thr 3896] *** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse" not found! [ssslsecu.c 1360]
[Thr 3896] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 3896] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 3896] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
[Thr 3896] << -
End of Secude-SSL Errorstack -
[Thr 3896] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
 for "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse" [ssslxxi.c 2314]
[Thr 3896] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 3896] =================================================
[Thr 3896] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 3896] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=0, flags=4098) for /:0
[Thr 3896] HttpExtractArchive: files from archive C:\usr\sap\FW2\SYS\exe\nuc\NTAMD64/wdispadmin.SAR in directory . are up to date
[Thr 3896] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap(wdisp/admin:0
[Thr 3896] CsiInit(): Initializing the Content Scan Interface
[Thr 3896] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)
[Thr 3896] CsiInit(): CSA_LIB = "C:\usr\sap\FW2\SYS\exe\nuc\NTAMD64\sapcsa.dll"
[Thr 3896] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
[Thr 3896] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=3, flags=28677) for /:0
[Thr 3896] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
[Thr 3896] Started service 80 for protocol HTTP on host "webdisp.com"(on all adapters) (processing timeout=60, keep_alive_timeout=30)
[Thr 3500] IcmCreateWorkerThreads: created worker thread 0
[Thr 3500] IcmCreateWorkerThreads: created worker thread 1
[Thr 3500] IcmCreateWorkerThreads: created worker thread 2
[Thr 3500] IcmCreateWorkerThreads: created worker thread 3
[Thr 3500] IcmCreateWorkerThreads: created worker thread 4
[Thr 3500] IcmCreateWorkerThreads: created worker thread 5
[Thr 3500] IcmCreateWorkerThreads: created worker thread 6
[Thr 3500] IcmCreateWorkerThreads: created worker thread 7
[Thr 3500] IcmCreateWorkerThreads: created worker thread 8
[Thr 3500] IcmCreateWorkerThreads: created worker thread 9
[Thr 3336] IcmWatchDogThread: watchdog started
Regards
ABH
Edited by: ABH on Oct 13, 2010 9:34 AM

Hi,
it was domain installation. But I needed to create SAPServieSID user on the local too. this solved my problem. I gave required permmison to pse again for local user. it is sound weird but it is working now.
Regrads
ABH

Web Dispatcher - SSL - Portal

Hi,
I have configured Web Dispatcher for SSL Termination to the portal. When I go to my https://... Web Dispatcher address, the portal comes up but the address in the browser changes to http://....
What could the problem be? Why is the Web Dispatcher terminating the SSL between it & the browser? There's nothing in the trace file that indicates a problem.
Many thanks in advance.
Regards
Jane

Hi Jane Tooke,
 In the profile file of web dispatcher which is " sapwebdisp.pfl " located in the sapwebdisp directory, please check if the following parameter exists. This parameter describes how the inbound connections are handled by web dispatcher.
wdisp/ssl_encrypt
the possible values for this parameter are < 0, 1, 2 >
wdisp/ssl_encrypt = 0 ( this means the SSL is terminated when sending to the
 back end server )
wdisp/ssl_encrypt = 1 ( the SSL is terminated and then SSL encrypted again by
 webdispatcher )
wdisp/ssl_encrypt = 2 ( the SSL is not terminated and request is sent encrypted
 to the back end )
The default value of this parameter is " 0 " . So, set it as appropriate to solve your purpose. Please refer to the following link to find more explanation about each of the profile parameters of the web dispatcher.
http://help.sap.com/saphelp_nw04/helpdata/en/de/89023c59698908e10000000a11402f/frameset.htm
Sai Kondapi

SAP Web Dispatcher SSL Error

We are having issues with our SSL connection to the SAP Web AS. Below is the error in the log files:
[Thr 472] =================================================
[Thr 472] = SSL Initialization on PC with Windows NT
[Thr 472] = (700_REL,Jul 14 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 472] profile param "ssl/ssl_lib" = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sapcrypto.dll"
 resulting Filename = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sapcrypto.dll"
[Thr 472] profile param "ssl/server_pse" = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
 resulting Filename = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
[Thr 472] profile param "ssl/client_pse" = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\SAPSSLC.PSE"
 resulting Filename = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\SAPSSLC.PSE"
[Thr 472] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe
[Thr 472] = current UserID: NT AUTHORITY\SYSTEM
[Thr 472] = found SECUDIR environment variable
[Thr 472] = using SECUDIR=c:\program files\sap\sapwebdisp\
[Thr 472] *** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse" not found! [ssslsecu.c 1354]
[Thr 472] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 472] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 472] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
[Thr 472] << -
End of Secude-SSL Errorstack -
[Thr 472] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
 for "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<OurPSE>.pse" [ssslxxi.c 2278]
[Thr 472] Tue Mar 31 13:30:06 2009
[Thr 472] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 472] =================================================
[Thr 472] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 472] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
[Thr 3744] IcmCreateWorkerThreads: created worker thread 0
[Thr 2952] *** ERROR => IcmConnClientRqCreate: No service for protocol HTTPS started [icxxconn.c 2701]
[Thr 2952] *** ERROR => IcmConnClientRqCreate() failed (rc=-1) [icrxx.c 5234]
[Thr 2952] *** ERROR => Could not connect to SAP Message Server at onebase. URL=/msgserver/text/logon?version=1.2 [icrxx.c 2591]
[Thr 2952] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c 2592]
[Thr 2952] *** ERROR => see also OSS note 552286 [icrxx.c 2593]
[Thr 3744] IcmCreateWorkerThreads: created worker thread 1
[Thr 3744] IcmCreateWorkerThreads: created worker thread 2
[Thr 3744] IcmCreateWorkerThreads: created worker thread 3
[Thr 3744] IcmCreateWorkerThreads: created worker thread 4
[Thr 3292] IcmWatchDogThread: watchdog started
I've already used sapgenpse seclogin -p <PSE File> -x <PIN> to create a pin. I've also gone and deleted the old pin that used to be there and created a new one.
Also I noticed it says "Beware: changing a PIN of a PSE will not auto-update the SSO-credential
Beware: adding a new credential will not auto-update an existing credential"
So once you change it how do you update it? Do you need to reboot the Web Dispatcher or do you just need to restarted the service?

I am also facing same issue.
I have added credentials also and successfully done.
Here attaching trace file. Please suggest
trc file: "dev_webdisp", trc level: 1, release: "720"
sysno 00
sid WD1
systemid 390 (AMD/Intel x86_64 with Linux)
relno 7200
patchlevel 0
patchno 68
intno 20020600
make multithreaded, ASCII, 64 bit, optimized
profile /usr/sap/WD1/profile/WD1_W00_sapportal
pid 26732
[Thr 139840314074976] Thu Oct 31 13:54:15 2013
[Thr 139840314074976] *** WARNING => The maximum number of sockets supported on this host is 1020.
This is less than the number of sockets configured in parameter icm/max_sockets (8192) [icxxrout_mt. 3417]
[Thr 139840314074976] started security log to file ./dev_icm_sec
[Thr 139840314074976] SigISetDefaultAction : default handling for signal SIGCHLD
[Thr 139840314074976] SAP Web Dispatcher running on: sapportal.abrajoman.com
[Thr 139840314074976] MtxInit: 30001 0 2
[Thr 139840314074976] ***LOG IM1=> IcmInit, Startup (SAP Web Dispatcher&sapportal.abrajoman.com&26732&) [icxxrout_mt. 1914]
[Thr 139840314074976] IcmInit: listening to admin port: 65000
[Thr 139840314074976] MPI: dynamic quotas disabled.
[Thr 139840314074976] MPI init: pipes=4000 buffers=1279 reserved=383 quota=10%
[Thr 139840314074976] CCMS: SemInMgt: Semaphore Management initialized by AlAttachShm_Ext.
[Thr 139840314074976] CCMS: SemInit: Semaphore 38 initialized by AlAttachShm_Ext.
[Thr 139840314074976] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
[Thr 139840314074976] IcrCoreInitSessionTable: Session table initialized
[Thr 139840167098112] HttpExtractArchive: files from archive /usr/sap/WD1/SYS/exe/run/wdispadmin.SAR in directory /usr/sap/WD1/W00/data/icmandir are up to date
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpAdminHandler(0x7f2f0c000e70), slot=0, flags=36869) for /sap/admin, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpModHandler(0x7f2f0c0012e0), slot=1, flags=12293) for /, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] CsiInit(): Initializing the Content Scan Interface
[Thr 139840167098112] AMD/Intel x86_64 with Linux (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)
[Thr 139840167098112] CsiInit(): CSA_LIB = "/usr/sap/WD1/SYS/exe/run/libsapcsa.so"
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpAuthHandler(0x7f2f0c001440), slot=2, flags=12293) for /, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpWebDispHandler(0x7f2f0c008340), slot=3, flags=1060869) for /, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] Started service PORT=8100,PROT=HTTP,TIMEOUT=60,PROCTIMEOUT=60
[Thr 139840167098112] =================================================
[Thr 139840167098112] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139840167098112] = (720_REL,Oct 15 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139840167098112] profile param "ssl/ssl_lib" = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840167098112] resulting Filename = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840167098112] = found SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
[Thr 139840167098112] = current UserID: "wd1adm", env-var USER="wd1adm"
[Thr 139840167098112] = using SECUDIR=/usr/sap/WD1/W00/sec
[Thr 139840167098112] profile param "ssl/server_pse" = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] resulting Filename = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/WD1/W00/sec/epssl.pse": unable to use! [ssslsecu_mt. 1735]
[Thr 139840167098112] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
[Thr 139840167098112] secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 139840167098112] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 139840167098112] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] << ---------- End of Secude-SSL Errorstack ----------
[Thr 139840167098112] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "/usr/sap/WD1/W00/sec/epssl.pse" [ssslxxi_mt.c 2324]
[Thr 139840167098112] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 139840167098112] =================================================
[Thr 139840167098112]
[Thr 139840167098112] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 139840167098112] *** ERROR => IcmServInitSSL: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 251]
[Thr 139840167098112] *** WARNING => Could not start service (rc=-14) PORT=8300,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0 [icxxserv_mt. 651]
[Thr 139840314074976] SigISetDefaultAction : default handling for signal SIGCHLD
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 0
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 1
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 2
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 3
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 4
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 5
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 6
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 7
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 8
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 9
[Thr 139840167098112] IcmWatchDogThread: watchdog started
[Thr 139840148838144] Thu Oct 31 13:54:36 2013
[Thr 139840148838144] =================================================
[Thr 139840148838144] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139840148838144] = (720_REL,Oct 15 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139840148838144] profile param "ssl/ssl_lib" = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840148838144] resulting Filename = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840148838144] = found SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
[Thr 139840148838144] = current UserID: "wd1adm", env-var USER="wd1adm"
[Thr 139840148838144] = using SECUDIR=/usr/sap/WD1/W00/sec
[Thr 139840148838144] profile param "ssl/server_pse" = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] resulting Filename = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/WD1/W00/sec/epssl.pse": unable to use! [ssslsecu_mt. 1735]
[Thr 139840148838144] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
[Thr 139840148838144] secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 139840148838144] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 139840148838144] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] << ---------- End of Secude-SSL Errorstack ----------
[Thr 139840148838144] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "/usr/sap/WD1/W00/sec/epssl.pse" [ssslxxi_mt.c 2324]
[Thr 139840148838144] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 139840148838144] =================================================
[Thr 139840148838144]
[Thr 139840148838144] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 139840148838144] *** ERROR => IcmServInitSSL: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 251]
[Thr 139840148838144] *** WARNING => Could not reactivate service (rc=-14) PORT=8300,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0 [icxxserv_mt. 1550]
[Thr 139840148838144] *** ERROR => ICP_icm_mod_service: ModService(7) failed for 8300, HTTPS(rc=-14) [icrxxadmin_m 5519]
[Thr 139840151480064] Fri Nov 1 10:54:13 2013
[Thr 139840151480064] =================================================
[Thr 139840151480064] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139840151480064] = (720_REL,Oct 15 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139840151480064] profile param "ssl/ssl_lib" = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840151480064] resulting Filename = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840151480064] = found SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
[Thr 139840151480064] = current UserID: "wd1adm", env-var USER="wd1adm"
[Thr 139840151480064] = using SECUDIR=/usr/sap/WD1/W00/sec
[Thr 139840151480064] profile param "ssl/server_pse" = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] resulting Filename = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/WD1/W00/sec/epssl.pse": unable to use! [ssslsecu_mt. 1735]
[Thr 139840151480064] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
[Thr 139840151480064] secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 139840151480064] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 139840151480064] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] << ---------- End of Secude-SSL Errorstack ----------
[Thr 139840151480064] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "/usr/sap/WD1/W00/sec/epssl.pse" [ssslxxi_mt.c 2324]
[Thr 139840151480064] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 139840151480064] =================================================
[Thr 139840151480064]
[Thr 139840151480064] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 139840151480064] *** ERROR => IcmServInitSSL: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 251]
[Thr 139840151480064] *** WARNING => Could not reactivate service (rc=-14) PORT=8300,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0 [icxxserv_mt. 1550]
[Thr 139840151480064] *** ERROR => ICP_icm_mod_service: ModService(7) failed for 8300, HTTPS(rc=-14) [icrxxadmin_m 5519]
Trace File
 (11768bytes)
Thanks,
Kundan

CRM_UI Reporting - HTTPS Terminating at Web Dispatcher or SSL all the way

Hi,
We need to set up access to crm_ui reports (leads and marketing mainly) in CRM 7.0 for vendors coming from the internet. The CRM server is in the internal network. In order for this to work I plan to setup the web-dispatcher in the application dmz. The initial login is going to be via the web dmz layer (using sun's iplanet server), which then routes the crm URL to the web dispatcher in the App dmz and then from the web dispatcher to CRM server.
One requirement from our security team is to set up the flow as HTTPS.
On going through SAP help I get the impression that it can be set up two ways, one, configuring web dispatcher to pass the SSL connection to backend, & two - configuring the web dispatcher to terminate SSL.
Seems the former is quite straight forward (from SAP online help we have to set the icm/server_port_<xx>> = PROT=ROUTER) but does it also require that we setup the crm_ui_frame service as SSL and activate the HTTPS service in ICM?
Or is it better to go via the second option (HTTPS termination) without changing the backend setup? SAP Online help lists steps to do the HTTPS termination but I have not come across any detailed documentation for the first method.
Any thoughts, suggestions will be helpful for either scenario.
Thanks,
Rommel Bhan

Thanks Martin the document helped.
Now the web dispatcher seems to talk to the HTTPS port on the backend.
However there is one issue I see in the dev_webdisp and was wondering if you have an insight.
Based on webdispatcher parameters, its taling to ms_https_port 8533 of backend
[Thr 773] Mon Feb 15 15:03:35 2010
[Thr 773] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 773] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 773] secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 773] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 773] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
[Thr 773] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE"
[Thr 773] ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
[Thr 773] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
[Thr 773] << -
End of Secude-SSL Errorstack -
[Thr 773] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 773] SSL NI-sock: local=10.104.146.81:62579 peer=10.104.146.81:8533
[Thr 773] <<- ERROR: SapSSLSessionStart(sssl_hdl=110acb850)==SSSLERR_SSL_CONNECT
[Thr 773] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1911]
[Thr 773] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx_mt.c 5976]
[Thr 773] *** ERROR => Could not connect to SAP Message Server at sapcms02. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c 3289]
[Thr 773] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c 3290]
[Thr 773] *** ERROR => see also SAP note 552286 [icrxx_mt.c 3291]
My backend is setup with SSL and web dispatcher is set to the following. Also since the backend and sapweb dispatcher are on the same host, using the same sidadm, the SSL stuff is on one location. I generated the SAPSSLS.pse in the backend using STRUST
Accessibility of Message Servers
rdisp/mshost = sapcms02
ms/http_port = 8100
ms/https_port = 8533
wdisp/server_info_protocol = https
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=ROUTER,PORT=60000
icm/server_port_1 = PROT=HTTPS,PORT=0
icm/server_port_2 = PROT=HTTP,PORT=8080 <-- web dispatcher admin port
#SSL parameters similar to one in backend
ssf/ssfapi_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
sec/libsapsecu = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
ssf/name = SAPSECULIB
ssl/ssl_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
ssl/server_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLS.pse
ssl/client_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLC.pse

Error when configuring Web Dispatcher for SSL with Enterprise Portal

We are in the process of configuring the Web Dispatcher using SSL to connect to our Enterprise Portal (the Web Dispatcher will be in the DMZ). We have followed all of the help.sap.com guides and now have SSL listening on the EP side (port 8103). We are now receiving this strange certificate error when we start the Web Dispatcher:
[Thr 5332] Tue Mar 20 00:36:23 2007
[Thr 5332] MatchTargetName("<FULLY QUALIFIED HOSTNAME>", "CN=XXX, OU=XXX, O=XXXX, C=XX") FAILS
[Thr 5332] SSL socket: local=<IPADDRESS>:4742 peer=<IPADDRESS>:8103
[Thr 5332] <<- ERROR: SapSSLSessionStart(sssl_hdl=009D7670)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 5332] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn.c 2005]
[Thr 5332] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c 4919]
[Thr 5332] *** ERROR => Could not connect to SAP Message Server at <FULLY QUALIFIED HOST NAME>. URL=/msgserver/text/logon?version=1.2 [icrxx.c 2301]
[Thr 5332] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c 2302]
[Thr 5332] *** ERROR => see also OSS note 552286 [icrxx.c 2303]
We have gone through the trouble shooting note 552286 as listed in the error above. Any assistance is appreciated.

Hello, did you receive any resolution for this problem? We are receiving a similar error and I am unsure of how to resolve.

Certificate question in Web Dispatcher End-To-End SSL scenario

Hy experts,
in end-to-end SSL scenario the web dispatcher (WD) is not used to encrypt/decrypt data, it is only used to forward requests.
So I think we do need a certificate for the portal server, but none for the web dispatcher itself, right?
Another point is which data should be given for CN, DN, OU etc in this scenario (Portal or WD ??)
kind regards
Tom

Tom,
For end to end SSL you do not need a certificate for the Web dispatcher but your J2EE engine should be configured to be accessible over SSL.
If you get the SSL certificate issued for the J2EE based on the name of the J2EE host it will result in a warning message as portal will be accessed using host name of Web dispatcher, so get the certificate issued under the name of the web dispatcher hostname. So, adjust your CN, DN, OU accordingly.
Cheers!!

Web Dispatcher and SSL on ABAP+Java

Hello,
Have installed SAP web dispatcher on WAS 6.40 ABAP+Java system. Communicating with Portal SP16 system.
The HTTP works fine. Have not been able to get SSL working with web dispatcher.
For troubleshooting activated ITS on this system and HTTPS works fine with ITS webgui.
Have followed the "how to" SSL for web dispatcher guide.
Also should mention that we have generated certificate requests and PSE's but our organization has not yet chosen a certificate authority to sign the cerficates. For other scenarios (log onto Portal, XI, etc) the only difference is the certifcate warning dialog, otherwise works fine. Would this cause a problem for Web Dispatcher?
Trying the SSL end to end scenario receive
WARNING: Could not start service 0 for protocol HTTPS on host "max-sap" on all adapters
Is there anything
unique for the ABAP+Java configuration?
Thanks,
Alan

I solved this problem by setting the following profile parameter on my webdispatcher profile.
wdisp/ssl_ignore_host_mismatch = true
Doesn't fix the underlying problem but got me going until I can figure it out.

SSL Re-encryption with Portal and Web Dispatcher: certificate expired

Hello,
I am trying to set up HTTPS connection to the Portal through SAP Web Dispatcher. We are using SSL Re-encryption. I think I got everything set up correctly. When trying to access through a Web browser the web dispatcher trace file shows error message 'certificate expired'. Looking at the Portal (Visual admin - Keystore) I am pretty sure it is the service-ssl with localhost. It is expired. Two questions:
- is it correct that it uses localhost or am I missing anything?
- How would I recreate the certificate? (I am sure it is somewhere in the Online documentation, but haven't found it yet). Can I do this while the Portal is productive without breaking the normal access (http) to the Portal. This is our Production portal.
Thanks,
Ingrid

Hi,
Go thru the contents of SAP Note,
685306 -Enabling SSL and renewing the J2EE certificate
And also the help contents in,
http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm
These might of some help to you !
Regards
Srinivasan T

Web dispatcher with SSL

Hi,
We have EP 6.0 SP16 paltform on win2003/oracle.
We configured SSL, so we connect using https protocol.
We have two application servers for our portal platform.
For load balancing we use SAP Web Dispatcher.
we didn't configure SSL for the host where Web dispatcher resides. So we want web dispather to convert http requests to https.
For this purpose we used parameters
icm/server_port_0 = PROT=HTTP, PORT=8003
wdisp/ssl_encrypt = 2
as said in
http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
we get error:
Detail: no valid destination server available for '!ALL' rc=7
How can we solve this error ?
Best regards

Hello ..,
By defining wdisp/ssl_encrypt = 2 in your pfl file is not enough. I'm assuming you ahve missed the following steps:-
1. Install the SAP Cryptographic Library on the SAP Web Dispatcher.
2. Set the profile parameters.
3. Create the SAP Web Dispatchers PSE(s) and certificate request(s).
4. Send the certificate request(s) to a CA to be signed.
5. Import the certificate request response(s) into the PSE.
6. Create credentials for the SAP Web Dispatcher.
7. Restart the SAP Web Dispatcher.
8. Test the connection.
You need to perform all the above mentioned steps for the SSL. Please refer this link:-
http://help.sap.com/saphelp_nw04/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm
Regards
Vaib

SAP Web Dispatcher Configuration (SSL, certificates)

Hi all,
We're trying to configure the SAP Web Dispatcher for the use of SSL (terminated) and client authentication using x.509 certificates. All works (almost)fine. However, there's some strange behavior that I can not explain.
The following access point have been specified in the profile:
Description of the Access Points
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
icm/HTTPS/verify_client = 2
Basicly we only need users to access the web dispatcher using SSL. However, when I remove the line: icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
The Web Dispatcher returns an error upon accessing it using HTTPS:
Dispatching Error
Error: -26
Version: 6040
Component: HTTP_ROUTE
Date/Time: Tue Mar 14 07:19:38 2006
Module: http_route.c
Line: 2383
Server: sapvm1_DVS_26
Detail: no valid destination server available for '!ALL' rc=13
Any help would be highly appreciated. Thanks!
Frodo

Hi KS,
Maybe you were right afterall I found a nice How to on the servce.sap.com (https://websmp203.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000073632&_SCENARIO=01100035870000000202) and it seems you do have to add the HTTP server_port parameter in case SSL is being terminated (no re-encryption).
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
icm/server_port_1 = PROT=HTTP, PORT=0, TIMEOUT=15
However, the trick is to set the port to zero (0), that way you can still only access the Web Dispatcher via HTTPS.
All is working now.
Frodo

Web Dispatcher with SSL termination for EP

Hi All,
I want to configure SAP Web Dispatcher (installed on windows) for SSL
termination scenario. I did all the configuration steps, SSL Basic,
SSL termination steps without Metadata Exchange scenario.
But , when i am trying to access the portal using "
https://<DispatcherHost>:<Port>/irj/portal", its giving page
can not be displayed error
This is how the profile file of the dispatcher looks like,
profile file **************
Profile generated by sapwebdisp bootstrap
unique instance number
SAPSYSTEM = 2
Accessibility of Message Servers
rdisp/mshost = <portal server>
ms/http_port = 8101
SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
configuration for large scenario
icm/max_conn = 16384
icm/max_sockets = 16384
icm/req_queue_len = 6000
icm/min_threads = 100
icm/max_threads = 250
mpi/total_size_MB = 500
mpi/max_pipes = 21000
#maximum number of concurrent connections to one server
wdisp/HTTP/max_pooled_con = 2000
wdisp/HTTPS/max_pooled_con = 2000
SAP Web Dispatcher Ports
SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
icm/server_port_0 = PROT=HTTPS,PORT=5000
icm/server_port_1 = PROT=HTTP,PORT=0
icm/HTTPS/verify_client = 0
DIR_INSTANCE=D:\SAP_SSL\secudir
ssl/ssl_lib=D:\SAP_SSL\secudir\sapcrypto.dll
sss/server_pse=D:\SAP_SSL\secudir\SAPSSL.pse
wdisp/ssl_encrypt = 0
wdisp/add_client_protocol_header = true
profile file **************
After modifying the profile file, restarting the dispatcher gives the
following information in the command prompt,
Information in command prompt *******
D:\SAP_SSL\sapwebdisp\sapwebdisp pf=sapwebdisp.pfl
**Warning: Could not start service 5000 for protocol HTTPS on host
<hostname>" <on all adapters>
*SAP Web Dispatcher up and operational <pid: 1700>*
Information in command prompt *******
What may be problem? Did i miss out any steps ?
Please help !
Regards,
Sandip

Hi Sandip,
Please check this thread..
/thread/41459 [original link is broken]
cheers,
Prashanth
P.S : Please mark helpful answers

Web Dispatcher and SSL

Dear All,
I've configured Web Dispatcher with SSL. When I run command "sapwebdisp pf=sapwebdisp.pfl", my HTTPS service could not be started. It gives me error "WARNING: Could not start service 60000 for protocol HTTPS on host "myserver" (on all adapters)".
Any idea?
BTW, my SAP Web Dispatcher is up and running.
Rgds,
Hapizorr

HI Koti Reddy,
Below is the log from dev_webdisp. Any iddea?
trc file: "dev_webdisp", trc level: 1, release: "700"
sysno 00
sid
systemid 562 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 110
intno 20050900
make: multithreaded, ASCII, 64 bit, optimized
pid 2892
[Thr 2800] started security log to file dev_icm_sec
[Thr 2800] SAP Web Dispatcher running on: psahrmswd
[Thr 2800] MtxInit: 30001 0 2
[Thr 2800] IcmInit: listening to admin port: 65000
[Thr 2188] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary
X.509 cert data will be removed from header [http_plgrt.c 670]
[Thr 2188] *** WARNING => HttpAdmHandlerInit: archive ./wdispadmin.SAR does not exist [http_adm.cpp 286]
[Thr 2188] *** WARNING => HttpAdmHandlerInit: archive ./wdispadmin.SAR does not exist - nothing extracted [http_adm.cpp 301]
[Thr 2188] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=0, flags=4101) for /sap/wdisp/admin:0
[Thr 2188] CsiInit(): Initializing the Content Scan Interface
[Thr 2188] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)
[Thr 2188] CsiInit(): CSA_LIB = ".\sapcsa.dll"
[Thr 2188] *** ERROR => DlLoadLib: LoadLibrary(.\sapcsa.dll) Error 126 [dlnt.c 237]
[Thr 2188] Error 126 = "The specified module could not be found."
[Thr 2188] *** ERROR => HttpAuthHandlerInit: url: / -> failed -> content filter deactivated [http_auth.c 300]
[Thr 2188] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=1, flags=12293) for /:0
[Thr 2188] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=2, flags=28677) for /:0
[Thr 2188] =================================================
[Thr 2188] = SSL Initialization on PC with Windows NT
[Thr 2188] = (700_REL,May 21 2007,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 2188] SapISSLComposeFilename(): profile param "ssl/ssl_lib" = "U:\secudir\sec\sapcrypto.dll"
 resulting Filename = "U:\secudir\sec\sapcrypto.dll"
[Thr 2188] SapISSLComposeFilename(): profile param "ssl/server_pse" = "U:\secudir\sec\SAPSSL.pse"
 resulting Filename = "U:\secudir\sec\SAPSSL.pse"
[Thr 2188] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe
[Thr 2188] = current UserID: PSAHRMSWD\Administrator
[Thr 2188] = found SECUDIR environment variable
[Thr 2188] = using SECUDIR=U:\secudir\sec
[Thr 2188] *** ERROR => secudessl_Create_SSL_CTX(): PSE "U:\secudir\sec\SAPSSL.pse" not found! [ssslsecu.c 1296]
[Thr 2188] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 2188] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2188] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
[Thr 2188] << -
End of Secude-SSL Errorstack -
[Thr 2188] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 2188] =================================================
[Thr 2188] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 2188] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
[Thr 2800] IcmCreateWorkerThreads: created worker thread 0
[Thr 2800] IcmCreateWorkerThreads: created worker thread 1
[Thr 2800] IcmCreateWorkerThreads: created worker thread 2
[Thr 2800] IcmCreateWorkerThreads: created worker thread 3
[Thr 2800] IcmCreateWorkerThreads: created worker thread 4
[Thr 2800] IcmCreateWorkerThreads: created worker thread 5
[Thr 2800] IcmCreateWorkerThreads: created worker thread 6
[Thr 2800] IcmCreateWorkerThreads: created worker thread 7
[Thr 2800] IcmCreateWorkerThreads: created worker thread 8
[Thr 2800] IcmCreateWorkerThreads: created worker thread 9
[Thr 2832] IcmWatchDogThread: watchdog started

Client authentication in PI when SAP Web dispatcher terminates SSL

PI Security Experts,
Here is our design for Third-party Peoplesoft system initiating SOAP Call to PI Web Service created on our PI server.
1) Third-party Peoplesoft Application server initiates a SOAP call.
2) Third-party Network Gateway has a URL server certificate from our gateway and our gateway server has a root certificate from the CA used by third-party gateway. this will be used to establish the SSL tunnel between gateway.
3) SOAP request in our network will be routed through load balancer to SAP web dispatcher.
4) SAP web dispatcher terminates SSL connection
5) We will generate client cert for authentication and pass it onto third-party which they will load onto their PeopleSoft application server. SOAP call initiating from the PeopleSoft server will pass the client cert along with the message (My understanding is that the client cert will not be a part of SOAP message body. Ina other words we are not implementing message-level security. Is that true? How will the client cert be passed? How and where will a client attach the client cert with message?My understanding is that this is a network layer security and client certificate will be authenticated on PI J2ee server at SSL protocol level..Is my understanding correct?)
6) We will also load client certificate generated for client onto J2EE server using Visual Admin and map it to PI user for authentication.
7) SAP web dispatcher terminates SSL and passes the SOAP message to PI (J2EE) along with client cert in a http header variable.
There is some conflicting SAP documents. some say that client cert can't be used for PI authentication if Web Dispatcher terminates SSL connection (http://help.sap.com/saphelp_nw04s/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm). There is some other documents that say that authentication using client cert is possible by having J2EE trusting Web Dispatcher and by passing client cert from Web Dispatcher to J2EE in a httpheader variable (http://help.sap.com/saphelp_erp2005/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm).
Now if client cert authentication is possible even if Web dispatcher terminates SSL, what cert do we need on J2EE, a cert from Web dispatcher or a client cert that's coming in from the client appication (the one that we created and provided to our third-party)?
If we install a cert from web dispatcher on J2EE then do we need a client cert on Web dispatcher instead of on J2EE? If so how and where do we map client cert to PI User?
I will really appreciate any advise on whether we are going down the right path and any pointers to my questions.
Thanks,
Saurabh

Hi,
May be below links will be helpful
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Step by step guide for SSL security
step by step guide to implement SSL
Please go through below link for referance (above information is from below link)
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Thanks
Swarup

Issues with our SSL connection to the Web dispatcher

HI Alle,
I having issues with our SSL connection to the Web dispatcher with SAP Web AS. Below is the error in the log files form dev_webdisp:
Started service 80 for protocol HTTP on host "wdpeht1"(on all adapters) (processing timeout=120, keep_alive_timeout=30)
[Thr 368] =================================================
[Thr 368] = SSL Initialization on PC with Windows NT
[Thr 368] = (701_REL,Jan 28 2010,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 368] profile param "ssl/ssl_lib" = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
 resulting Filename = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
[Thr 368] profile param "ssl/server_pse" = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
 resulting Filename = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
[Thr 368] = found SAPCRYPTOLIB 5.5.5C pl29 (Jan 30 2010) MT-safe
[Thr 368] = current UserID: WDPEHT1\SAPServiceWDP
[Thr 368] = found SECUDIR environment variable
[Thr 368] = using SECUDIR=E:\usr\sap\WDP\W00\sec
[Thr 368] * ERROR => secudessl_Create_SSL_CTX(): PSE "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" not found! [ssslsecu.c 1354]
[Thr 368] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 4129 (0x00001021) = "The PSE does not exist"*
[Thr 368] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 368] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
ERROR in af_open: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
[Thr 368] << -
End of Secude-SSL Errorstack -
[Thr 368] * ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
 for "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" [ssslxxi.c 2278]*
[Thr 368]* ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 368] =================================================
[Thr 368] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR*
[Thr 368] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
[Thr 2128] IcmCreateWorkerThreads: created worker thread 0
Regards

Hi Olivier,
Thanks for replay,
The PSE does exist in my SEC "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" .
I did tried Again I get this error. I think I missing som parameter
= SSL Initialization on PC with Windows NT
[Thr 2292] = (701_REL,Jan 28 2010,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 2292] profile param "ssl/ssl_lib" = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
 resulting Filename = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
[Thr 2292] profile param "ssl/server_pse" = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
 resulting Filename = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
[Thr 2292] = found SAPCRYPTOLIB 5.5.5C pl29 (Jan 30 2010) MT-safe
[Thr 2292] = current UserID: WDPEHT1\SAPServiceWDP
[Thr 2292] = found SECUDIR environment variable
[Thr 2292] = using SECUDIR=E:\usr\sap\WDP\W00\sec
[Thr 2292] -*ERROR => secudessl_Create_SSL_CTX(): PSE "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" not found! [ssslsecu.c 1354]
[Thr 2292] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1281 (0x00000501) = "open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned"*-
[Thr 2292] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2292] -*ERROR in SSL_CTX_set_default_pse_by_name: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"*-
-*ERROR in ssl_set_pse: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
ERROR in af_open: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"*-
ERROR in secsw_open: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
ERROR in secsw_open_pse_or_extension: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
ERROR in sec_get_PSEtype: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
ERROR in aux_read_PSEFile: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
ERROR in aux_file2OctetString: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
[Thr 2292] << -
End of Secude-SSL Errorstack -
[Thr 2292] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
 for "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" [ssslxxi.c 2278]
[Thr 2292] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 2292] =================================================
[Thr 2292] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 2292] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
Her is my profile parameter for https.
h6*#Https parameters for Web dispatcher E:\usr\sap\WDP\W00\sec
#icm/server_port_0 = PROT=HTTPS,PORT=443$$
DIR_INSTANCE = E:\usr\sap\WDP\W00\sec
ssl/ssl_lib = E:\usr\sap\WDP\W00\sec\sapcrypto.dll
ssl/server_pse = E:\usr\sap\WDP\W00\sec\SAPSSL.pse
wdisp/ssl_cred = E:\usr\sap\WDP\W00\sec\SAPSSL.pse
ssf/ssfapi_lib = E:\usr\sap\WDP\W00\sec\sapcrypto.dll
sec/libsapsecu = E:\usr\sap\WDP\W00\sec\sapcrypto.dll
ssf/name = SAPSECULIB
wdisp/ssl_encrypt = 0
icm/server_port_1=PROT=HTTPS, PORT=8400, TIMEOUT=120
###icm/server_port_1=PROT=HTTPS, PORT=44302, TIMEOUT=900 (old)
########icm/server_port_0 = PROT=HTTP,PORT=80, TIMEOUT=120
icm/HTTPS/verify_client=0
wdisp/add_client_protocol_header = true
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/ssl_auth= 0
ms/https_port = 8400
wdisp/HTTP/use_pool_for_new_conn=1
wdisp/HTTPS/dest_logon_group = HTTPS
#wdisp/server_info_protocol = https
#wdisp/group_info_protocol = https
#wdisp/url_map_protocol = https
wdisp/ssl_ignore_host_mismatch = fals
icm/HTTPS/forward_ccert_as_header = true
icm/HTTPS/trust_client_with_issuer = CN = SAP CA,*
icm/HTTPS/trust_client_with_subject = CN = sapwebdisp,*h6
Regards

Web Dispatcher SSL query

Similar Messages

Maybe you are looking for