You are on page 1of 12

SAP Web Dispatcher SSL Trust Configuration

How to Configure SAP Web Dispatcher to Trust Backend


System SSL Certificate
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

TABLE OF CONTENTS
1 PREREQUISITE ................................................................................................................................ 3
2 SYMPTOM ......................................................................................................................................... 3
3 EXPLANATION ................................................................................................................................. 4
4 SOLUTION ........................................................................................................................................ 4
4.1 Determine Which PSE File Has To Be Modified ........................................................................... 4
4.2 Retrieve Server Certificate .............................................................................................................. 4
4.3 Copy the Contents of the Certificate to Clipboard ....................................................................... 7
4.4 Import the Server Certificate into SAP Web Dispatcher .............................................................. 8

2
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

1 PREREQUISITE
 You have installed an SAP Web Dispatcher (version 742 PL 24 or higher).
 Web Dispatcher is configured with an SAP NetWeaver Application Server ABAP as backend system
with one or multiple application server instances. 1
 You can access the Web Dispatcher Administration with your browser (e.g. https://webdispatcher-
host:port/sap/wdisp/admin). Use the credentials entered during Web Dispatcher installation. In case of
problems refer to the documentation.
 The ABAP system is configured with SSL server ports.
 You can connect with a browser directly to an ABAP application server instance via SSL, like shown in
the following figure:

2 SYMPTOM
When you connect your browser to the SAP Web Dispatcher you see one of the following error messages:

Note: You may have to instruct your browser to ignore missing certificate trust when connecting to the SAP
Web Dispatcher.

Additionally the following (or similar) error messages are written to dev_webdisp.

Failed to verify peer certificate. Peer not trusted.

ERROR: SapSSLSessionStart(sssl_hdl=0x144bcf0)==SSSLERR_PEER_CERT_UNTRUSTED

ERROR => IcmConnPoolConnect: SapSSLSessionStart failed(-102): SSSLERR_PEER_CERT_UNTRUSTED

1
This document describes the process for an Application Server ABAP as backend, but it can easily be adapted for all types of backend
systems.

3
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

3 EXPLANATION
The SAP Web Dispatcher currently does not trust the application servers and as a consequence is not able to
forward the received HTTP request to the application server.
To establish a SSL connection the client has to trust the server. The client checks whether the server can be
trusted by comparing the server’s SSL certificate and the certificates in its certificate chain 2 to a list of
configured certificates that can be trusted. If the server offers a certificate that is not in this list and whose root
CA’s and intermediary CA’s certificate are not in this list, the client will not trust the server and will abort the
SSL handshake.

Browsers have to deal with this issue, too. But all browsers are delivered with a predefined list of trusted root
CAs. Because of this the browser trusts all servers with a certificate that has been signed by one of the major
root CAs.

The list of trusted certificates of the Web Dispatcher is initially empty because of security reasons. It is a task
of the administrator to configure the list of trusted endpoints manually.

4 SOLUTION
4.1 Determine Which PSE File Has To Be Modified

By default the Web Dispatcher uses SAPSSLC.pse and its list of trusted certificates for connections to the
application server, but if you set additional parameters another PSE is used.

If you set the SSL_CLIENT_PSE subparameter in a wdisp/system_<xx> parameter, the Web Dispatcher
uses this file and you have to modify this PSE.

If this subparameter is not used, the parameter wdisp/ssl_auth has to be checked:

Value PSE file to be modified


0 Modify the anonymous PSE. The anonymous PSE is named SAPSSLA.pse except you set
the parameter ssl/anon_pse.
1 or Modify the standard client PSE SAPSSLC.pse. If you set the parameter
Not set ssl/client_pse=<filename>, modify <filename>.
2 Modify the file specified in wdisp/ssl_cred.

4.2 Retrieve Server Certificate

Open an ABAP application server’s HTTPS port in the browser:

You can use any path – for example “/sap/public/icman/ping”.

2
The certificate chain contains the certificates of the root certificate authority (CA) and optional multiple intermediary CAs.

4
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

If using Internet Explorer click on the lock symbol, then “View Certificate”. Other browsers may have different
ways to access the certificate information of the visited web site. In Chrome, you click on the lock, then select
the “Connection” tab. In Firefox, click on the lock, then right angle, then “more information”, then “view
Certificate”.

Next you see a window with certificate information. Select the Tab with “Certificate Path”.

Select the certificate you consider appropriate. Usually, you want to select the certificate before the last in
chain, because this is usually used to sign all the individual server certificates in the system.

Additionally it is recommend to not use the certificates of the servers directly, because then you would have to
establish trust with every individual server.

5
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

Press “Copy to File”.

Select “Base-64 encoded X.509” format. Then proceed and save the file in a location of your choice.

6
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

4.3 Copy the Contents of the Certificate to Clipboard

Open the generated file in a text editor. For example the default Windows application Notepad is sufficient.
The text editor will show base64 data that starts with “----BEGIN CERTIFICATE----“ and ends with “----END
CERTIFICATE----“

Copy the entire text (including the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines) to your clipboard.

7
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

4.4 Import the Server Certificate into SAP Web Dispatcher

The last step is to import the server certificate into SAP Web Dispatcher.

Open the SAP Web Dispatcher Administration in your browser. If no signed server certificate is yet installed in
SAP Web Dispatcher, you may have to override missing trust. Use the user and password configured in SAP
Web Dispatcher during installation.

In SAP Web Dispatcher Administration, select the “PSE Management” tool.

In this tool, select the “SAPSSLC.pse”3 in the top row. The SAPSSLC.pse contains the client certificate and
the list of trusted servers that the Web Dispatcher trusts as a client.

Press “Import Certificate” in the lower row. Paste the clipboard content (the base64 data) into the text box.

3
If you added additional configuration, see chapter 4.1 to determine which PSE you have to select.

8
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

Now press “Import”. That’s it.

9
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

To check your success, wait a short time (in order to allow SAP Web Dispatcher to refresh its backend
information). Then go to the tool “Monitor Application Servers”. If everything was configured correctly, you will
see a list of application servers with green check marks:

Test your SAP Web Dispatcher backend connectivity with the Path “/sap/public/icman/ping”. Refresh the page
multiple times to see the effect of load balancing between the different application servers:

10
HOW TO CONFIGURE SAP WEB DISPATCHER TO TRUST BACKEND SYSTEM SSL CERTIFICATE

If not all application servers of the system are available, you will have to repeat these steps until certificates
for all application servers are added to the Web Dispatcher’s list of trusted endpoints.

11
www.sap.com

You might also like