Terminating SSL On SAP Web Dispatcher

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.
com
2010 SAP AG 1
Terminating SSL on SAP Web
Dispatcher
Applies to:
Configuring Terminating SSL on SAP Web dispatcher 7.0 and Higher. For more information, visit the
Operations homepage.
Summary
This document clearly explains the step-by-step procedure for the configuring Terminating SSL on SAP Web
dispatcher 7.0 and Higher. The procedure in the Document applies for configuration on Unix architecture. In
this Document we are configuring the SSL certificate by requesting the test certificate from SAP CA
Author: Anil Bhandary
Company: Capgemini India
Created on: 04 April 2010
Author Bio
Anil Bhandary has about three years of experience in software of SAP NetWeaver Technical
consultant in the area of ECC, SRM, EP, MDM, XI and solution Manager. Currently working
for capgemini.com
Terminating SSL on SAP Web Dispatcher
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
2010 SAP AG 2
Table of Contents
1. Introduction ............................................................................................................................................... 3
2. Perquisites for configuring SSL.................................................................................................................. 3
2.1 Download SAP Cryptographic Binary from SAP Market Place. ............................................................. 3
3. Steps for configuring SSL. ......................................................................................................................... 4
3.1 Create sec Folder ................................................................................................................................ 4
3.2 Extracting the Cryptographic binary in EXE folder. ............................................................................... 4
3.3 Setting the Environment Variable for SSL certificate location. ............................................................... 4
3.4 Checking the Instance profile file of SAP web dispatcher...................................................................... 4
3.5 Command for generating certificate request. ........................................................................................ 5
3.6 Requesting the TEST certificate from SAP AG. .................................................................................... 6
3.7 Importing certificate in PSE. ............................................................................................................ 10
3.8 Importing Credential in PSE. ........................................................................................................... 10
3.7 Making Changes in Instance profile of SAP web dispatcher. ........................................................... 11
3.8 Changing the owner and rights of file ICMBND Binary..................................................................... 12
3.9 Stop and Start the SAP Web dispatcher after making all above changes......................................... 12
Related Contents. ....................................................................................................................................... 14
Disclaimer and Liability Notice ..................................................................................................................... 15

2010 SAP AG 3
1. Introduction
This Document will help you to understand how to go proceed for configuring Terminating SSL on SAP Web
dispatcher 7.0 and higher . Here we are requesting a test certificate from SAP CA, where this certificate is
required to start SAP Web dispatcher with SSL protocol
Note: - In this document you will see the SID = WJ1 and instance no = 01 (You will change the SID and instance no as
per your sap web dispatcher configuration)
In this document we are using Terminating SSL concept where the request is terminated at the SAP Web
Dispatcher. The incoming connection uses HTTPS and the outgoing connection uses HTTP. Therefore, in
such scenario we must configure the SAP Web Dispatcher as an SSL server.
Here user calls the URL of Portal using web dispatcher which is located in front of portal. Here URL is called
using HTTPS protocol which is configured on web dispatcher. When user hits the URL on HTTPS, the
HTTPS protocol get terminated on web dispatcher and it internal call the backend portal system using HTTP
protocol. It means encryption and decryption happened on Web dispatcher itself.
2. Perquisites for configuring SSL
2.1 Download SAP Cryptographic Binary from SAP Market Place.
Cryptographic Binary can be download from below link
http://service.sap.com/swdc
Download
SAP Cryptographic Software
After click on SAP Cryptographic Software you will get new browser window, where you have to select the
file and download the file depend upon the OS platform on which you have to configure SAP Router

2010 SAP AG 4
3. Steps for configuring SSL.
3.1 Create sec Folder
(Folder will contain SSL configuration files)
cd /usr/sap/<SID>/SYS
Mkdir sec

3.2 Extracting the Cryptographic binary in EXE folder.
Copy Downloaded Cryptographic Binary to /sapmnt/<SID>/exe and extract the binary using SAPCAR
# SAPCAR -xvf < Cryptographic Binary >

After extracting the SAR file you will get above files and addition file as ticket.
Copy this ticket file from EXE directory to /usr/sap/<SID>/SYS/sec/
3.3 Setting the Environment Variable for SSL certificate location.

3.4 Checking the Instance profile file of SAP web dispatcher.
(Profile file get created after successful installation of SAP web dispatcher)
You will get this instance profile file in location /sapmnt/<SID>/profile/
2010 SAP AG 5

3.5 Command for generating certificate request.
(This is needed to send SAP CA for getting the valid SSL Certificate)
sapgenpse get_pse -p SAPSSL.pse -r test.req "CN=abc.xyz.com, OU=ABC, O=ABC, C=IN"

Provide whatever password you prefer (Maintain the password for future reference)
2010 SAP AG 6

Here test.req is request file which need to send to SAP CA for generating the test certificate.
3.6 Requesting the TEST certificate from SAP AG.
a. Access the URL http://service.sap.com/tcs with valid Suser id and password
b. Click on SSL Test Server Certificate.

After clicking on SSL test server certificate, you will get below window.
Click here to get SSL Test
certificate from SAP
(This certificate just for
testing purpose)
2010 SAP AG 7

Click on Test it Now after clicking you will get below option.

Paste the output present in file test.req, which we have created in previous step
Find the below screenshot for your reference.
2010 SAP AG 8

Paste the content of test.req in Enter data for public key dialog box and select PKCS#7 certificate chain
in Choose server type selection tab.

2010 SAP AG 9
After filling the above column click on continue tab
After clicking on Continue you will get below dialog Box.

Copy the above output from Begin certificate to End certificate and paste it in text file and save the file as
import.cer as shown below

2010 SAP AG 10

After saving the file import.cer , copy the file to server on location /usr/sap/<SID>/SYS/sec/

3.7 Importing certificate in PSE.
sapgenpse import_own_cert -c import.cer -p SAPSSL.pse

Give the same password which we have given while generating test.req file.
3.8 Importing Credential in PSE.
sapgenpse seclogin -p SAPSSL.pse

Give the same password which we have given while generating test.req file.
After importing the credential additional file get created in sec folder, here the additional file name is
cred_v2

2010 SAP AG 11
3.7 Making Changes in Instance profile of SAP web dispatcher.
Make necessary changes in existing parameter as well as add some additional parameter in instance profile
of SAP web dispatcher.
Do the changes as per below screenshot
Here in this web dispatcher we have bind HTTP on port 8080 and HTTPS on 443

2010 SAP AG 12

3.8 Changing the owner and rights of file ICMBND Binary.
/sapmnt/<sid>/exe/icmbnd
Owner should be root :sapsys and rights should be 4750

3.9 Stop and Start the SAP Web dispatcher after making all above changes.

After webdispatcher started check the log files of webidpstahcer present in /usr/sap/<sid>/<instance>/work
In the work folder we have to check dev_webdisp and dev_icmbnd.
For e.g log will be look like below screenshot.
dev_webdisp
2010 SAP AG 13

dev_icmbnd

2010 SAP AG 14
Related Contents.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/39/09a63d7af20450e10000000a114084/content.htm
Note 974284 - SAP Web Dispatcher 7.00: Patch history
For more information, visit the Operations homepage.
2010 SAP AG 15
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not
supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document,
and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or
code sample, including any liability resulting from incompatibility between the content within this document and the materials and
services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this
document.

Terminating SSL On SAP Web Dispatcher

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Terminating SSL On SAP Web Dispatcher

Uploaded by

Copyright:

Available Formats

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.

You might also like