How to Configure SAP Web Dispatcher as Reverse Proxy for SAP … · 2019-11-12 · 4.1 Installation...

How-To Guide

SAP NetWeaver

Document Version: 1.0 - 2014-02-02

How to Configure SAP Web Dispatcher as a Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI

Document History © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2

Document History

Document Version Description

1.0 First official release of this guide

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI

Table of Contents © 2014 SAP AG or an SAP affiliate company. All rights reserved. 3

Table of Contents 1 Business Scenario .................................................................................................................................. 4

2 Background Information ....................................................................................................................... 4

3 Prerequisites .......................................................................................................................................... 4

4 Step-by-Step Procedure ........................................................................................................................ 5

4.1 Installation of SAP Web Dispatcher .............................................................................................. 5 4.2 Update SAP Web Dispatcher Kernel ............................................................................................. 9 4.3 SAP Web Dispatcher SSL Configuration ...................................................................................... 9 4.4 SAP Web Dispatcher Configuration for x.509 ............................................................................. 14 4.5 Add client root certificate from WD into SSL Server Standard ................................................. 18 4.6 Add Parameters to the SAP ABAP Profile .................................................................................. 20

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L

Business Scenario © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4

1 Business Scenario This document explains the required steps to configure SAP Web Dispatcher as reverse proxy for an on-premise CRM or ECC system for integration with SAP Cloud for Customers using HANA Cloud Integration.

2 Background Information This scenario covers HTTPS communication from HCI all the way to CRM or ECC with SSL termination in the SAP Web Dispatcher.This configuration is based on the steps to enable x.509 authentication, which is required when HANA Cloud Integration is used as integration layer. In this case we use a Windows server to illustrate the process, but the steps should be very similar in other operating systems systems.

Note: There could be other parameters involved for proper operation of SSL configuration and Web Dispatcher, but this How-to document describes the minimum required for this scenario to work.

3 Prerequisites The chief prerequisite is that the SAP CRM or ECC systems are already configured with SSL.

These tasks should be performed by a qualified SAP Basis Administrator, with a solid conceptual understanding of SSL and certificate-based encryption concepts.


Step-by-Step Procedure © 2014 SAP AG or an SAP affiliate company. All rights reserved. 5

4 Step-by-Step Procedure

This scenario covers and HTTPS communication from HCI all the way to CRM with SSL termination in the SAP Web Dispatcher.

This configuration is based in the required steps to enable x.509 authentication required when HANA Cloud Integration is used as integration layer. In this case we use a Windows server, but the steps should be very similar for other OS systems.

4.1 Installation of SAP Web Dispatcher ...

There are multiple ways to install the SAP Web Dispatcher but in this case we will use the SAPINST tool, it is also possible to use the SWPM or do manual installation.

1. Start SAPINST in the host where SAP Web Dispatcher will be installed.



2. Select the option to install Web Dispatcher, and click Next.

3. Enter the system name and location of the installation.



4. Enter the master password.

5. Enter the location of the non-unicode kernel.

6. Enter the hostname and port number of the message server of the CRM or ECC system.



7. Enter the system number, port number and configuration size.

8. If required, activate the ICF services.

9. The installation proceeds…



10. Click OK to finish the installation.

4.2 Update SAP Web Dispatcher Kernel ...

SAP note 908097 exaplains the process to update the kernel and the different release convinations that are supported.

4.3 SAP Web Dispatcher SSL Configuration ...

1. Download the latest SAP Cryptographic tools. This package is avaialable in the SAP Marketplace under SWDC.

2. Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel. This file include the sapgenpse and the library file. For example:

sapgenpse.exe

sapcrypto.dll



3. Copy the file ticket to the sec directory under the Web Dispatcher instance directory.

4. Add the following SSL relevant parameters to the Web Dispatcher profile:

DIR_INSTANCE ssl/ssl_lib ssl/server_pse ssl/client_pse icm/server_port_1 For example:

DIR_INSTANCE = D:\usr\sap\WCR\W35

ssl/ssl_lib=D:\usr\sap\WCR\SYS\exe\nuc\NTAMD64\sapcrypto.dll

ssl/server_pse=D:\usr\sap\WCR\W35\sec\SAPSSLS.pse

ssl/client_pse=D:\usr\sap\WCR\W35\sec\SAPSSLC.pse

icm/server_port_1 = PROT=HTTPS, PORT=1445, TIMEOUT=900

5. Set parameter wdisp/ssl_encrypt. This parameter determines how the SAP Web Dispatcher handles inbound HTTP(S) requests. The following values are permitted:

0: Forward the request unencrypted.

1: Encrypt the request again with SSL, in case the request arrived via HTTPS protocol.

2: Always forward the request encrypted with SSL.

6. Create Server PSE using the following command:

sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name> For example: sapgenpse get_pse -p SAPSSLS.pse -x password -r D:\usr\sap\WCR\W35\sec\cert.req "CN=hostname.domain, OU=SAPLabs, OU=SAP, O=SAP, C=US" It is important that the CN used match the DNS name that will be used to communicate from HCI to the CRM/ECC system. The sapgenpse command will create two files, the actual PSE file and the certificate request for signature.



It is possible to use the STRUST to create both. More details of both methods may be found via the link below:

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm

7. Sign certificate request by a CA. For testing purposes in this example we are using the SSL test Server certificate under the SAP Trust Center in the marketplace, but you can use your own CA.





8. Click in SSL Test server Certificate and then in Test Now.

9. Enter the certificate request and click Continue.



10. Copy the full string and paste into a text file

11. Import certificate request response into PSE. First, obtain the root certificate of the CA that was used to

sign your certificate. In this case we get it from the download area for the SAP SSL Test Server CA Certificate.

12. Execute the following command to import the response into the PSE:

sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN>

Below is an example

sapgenpse import_own_cert -c D:\usr\sap\WCR\W33\sec\signedcert.cer -p SAPSSLS.pse -x password -r D:\usr\sap\WCR\W33\sec\getCert.cer

More details may be found via the following link:

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm




13. Use the following command to create a credentials file:

sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O [<Windows_Domain>\]<user_ID> For example: sapgenpse seclogin -p D:\usr\sap\WCR\W33\sec\SAPSSLS.pse -x password -O SAPServiceWCR

14. Restart the Web Dispatcher.

4.4 SAP Web Dispatcher Configuration for x.509 ...

1. Use the following command to create the server PSE:

sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name>

For example:

sapgenpse get_pse -p SAPSSLC.pse -x password -r D:\usr\sap\WCR\W35\sec\clientcert.req "CN=WCR_35, OU=SAPLabs, OU=SAP, O=SAP, C=US"

It is important to note the CN used because later on will be used as value for one of the parameter profiles in CRM/ECC.

The previous command will create two files, the actual PSE file and the certificate request for signature

It is possible to use the STRUST to create both. More details of both methods in the link below:





2. Sign certificate request by a CA. For testing purposes, in this example, the SSL test Server certificate under the SAP Trust Center in the marketplace is used, but you can use your own CA.

3. Click in SSL Test server Certificate and then in Test Now.



4. Enter the certificate request and click Continue.

5. Copy the full string and paste into a text file.



6. Import certificate request response into PSE. Obtain the root certificate of the CA that was used to sign your certificate, in this case we get it from the download area for the SAP SSL Test Server CA .Certificate.

7. Execute the following command to import the response into the PSE:

sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN>

For example:

sapgenpse import_own_cert -c D:\usr\sap\WCR\W35\sec\signedclientcert.cer -p SAPSSLC.pse -x password -r D:\usr\sap\WCR\W35\sec\getCert.cer

More details on:


8. Use the following command to create a credentials file:

sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O [<Windows_Domain>\]<user_ID>

For example:

sapgenpse seclogin -p D:\usr\sap\WCR\W33\sec\SAPSSLC.pse -x password -O SAPServiceWCR




9. Use the following command to import the SSL root certificate or SSL server certificate from your CRM/ECC system. This will allow to establish a connection from the Web Dispatcher into the ICM of the application server.

.maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [-x <PIN>]

For example:

sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\getCert.cer -p D:\usr\sap\WCR\W35\sec\SAPSSLC.pse -x password

10. Set the following parameters in the profile of the Web Dispatcher:

wdisp/ssl_encrypt = 1

icm/HTTPS/forward_ccert_as_header = true

icm/HTTPS/verify_client=1

wdisp/ssl_auth = 2

wdisp/ssl_cred = D:\usr\sap\WCR\W35\sec\SAPSSLC.pse

11. Use the following command to import the root certificate used to sign the HCI x.509 certificate into the SSL server PSE.

sapgenpse maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [-x <PIN>]

For example:

sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\SAPPassportCA.cer -p SAPSSLS.pse -x password

12. Restart the Web Dispatcher.

4.5 Add client root certificate from WD into SSL Server Standard

1. Call transaction STRUST

2. Open the SSL Server server Standard



3. Load the root certificate used to sign the client certificate from the SAP Web Dispatcher clicking in Import Certificate button

4. Select the file that needs to be upload and load the file hitting enter

5. Click in Add to Certificate List Button



6. Click in the Save

4.6 Add Parameters to the SAP ABAP Profile ...

7. The following two parameters must be added to the SAP ABAP profile:

icm/HTTPS/trust_client_with_issuer

icm/HTTPS/trust_client_with_subject

The subject here is the same subject that was used during the creation of the client PSE of the Web Dispatcher:

icm/HTTPS/trust_client_with_subject = CN=WCR_15, OU=SAPLabs, OU=SAP, OU=Server, O=SAP Trust Community, C=DE

This is the entity who signed the client PSE certificate from the Web Dispatcher, the issuer of the certificate.

icm/HTTPS/trust_client_with_issuer = CN=Server CA, OU=Server, O=SAP Trust Community, C=DE

8. Restart the ABAP system.

www.sdn.sap.com/irj/sdn/howtoguides

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such

products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.

www.sap.com/contactsap

http://www.sap.com/corporate-en/legal/copyright/%20index.epx

http://www.sap.com/corporate-en/legal/copyright/%20index.epx

http://www.sap.com/contactsap

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP … · 2019-11-12 · 4.1 Installation...

Documents

Transcript of How to Configure SAP Web Dispatcher as Reverse Proxy for SAP … · 2019-11-12 · 4.1 Installation...