How-To Guide

SAP NetWeaver
Document Version: 1.0 - 2014-02-02

How to Configure SAP Web Dispatcher as a Reverse

Proxy for SAP CRM or ECC Systems Using SAP HCI

Document History
Document Version

Description

1.0

First official release of this guide

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Document History

2014 SAP AG or an SAP affiliate company. All rights reserved.

Table of Contents
1

Business Scenario.................................................................................................................................. 4

Background Information ....................................................................................................................... 4

Prerequisites .......................................................................................................................................... 4

Step-by-Step Procedure........................................................................................................................ 5
4.1
4.2
4.3
4.4
4.5
4.6

Installation of SAP Web Dispatcher .............................................................................................. 5

Update SAP Web Dispatcher Kernel ............................................................................................. 9
SAP Web Dispatcher SSL Configuration ...................................................................................... 9
SAP Web Dispatcher Configuration for x.509 .............................................................................14
Add client root certificate from WD into SSL Server Standard .................................................18
Add Parameters to the SAP ABAP Profile .................................................................................. 20

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Table of Contents

2014 SAP AG or an SAP affiliate company. All rights reserved.

Business Scenario

This document explains the required steps to configure SAP Web Dispatcher as reverse proxy for an onpremise CRM or ECC system for integration with SAP Cloud for Customers using HANA Cloud Integration.

Background Information

This scenario covers HTTPS communication from HCI all the way to CRM or ECC with SSL termination in the
SAP Web Dispatcher.This configuration is based on the steps to enable x.509 authentication, which is required
when HANA Cloud Integration is used as integration layer. In this case we use a Windows server to illustrate
the process, but the steps should be very similar in other operating systems systems.
Note: There could be other parameters involved for proper operation of SSL configuration and Web
Dispatcher, but this How-to document describes the minimum required for this scenario to work.

Prerequisites

The chief prerequisite is that the SAP CRM or ECC systems are already configured with SSL.
These tasks should be performed by a qualified SAP Basis Administrator, with a solid conceptual
understanding of SSL and certificate-based encryption concepts.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Business Scenario

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

Step-by-Step Procedure

This scenario covers and HTTPS communication from HCI all the way to CRM with SSL termination in the SAP
Web Dispatcher.
This configuration is based in the required steps to enable x.509 authentication required when HANA Cloud
Integration is used as integration layer. In this case we use a Windows server, but the steps should be very
similar for other OS systems.

4.1

Installation of SAP Web Dispatcher

...

There are multiple ways to install the SAP Web Dispatcher but in this case we will use the SAPINST tool, it is
also possible to use the SWPM or do manual installation.
1.

Start SAPINST in the host where SAP Web Dispatcher will be installed.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

2.

Select the option to install Web Dispatcher, and click Next.

3.

Enter the system name and location of the installation.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

4.

Enter the master password.

5.

Enter the location of the non-unicode kernel.

6.

Enter the hostname and port number of the message server of the CRM or ECC system.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

7.

Enter the system number, port number and configuration size.

8.

If required, activate the ICF services.

9.

The installation proceeds

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

10. Click OK to finish the installation.

4.2

Update SAP Web Dispatcher Kernel

...

SAP note 908097 exaplains the process to update the kernel and the different release convinations that are
supported.

4.3

SAP Web Dispatcher SSL Configuration

...

1.

Download the latest SAP Cryptographic tools. This package is avaialable in the SAP Marketplace under
SWDC.

2.

Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel. This file include the
sapgenpse and the library file. For example:
sapgenpse.exe
sapcrypto.dll

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

3.

Copy the file ticket to the sec directory under the Web Dispatcher instance directory.

4.

Add the following SSL relevant parameters to the Web Dispatcher profile:
DIR_INSTANCE
ssl/ssl_lib
ssl/server_pse
ssl/client_pse
icm/server_port_1
For example:
DIR_INSTANCE = D:\usr\sap\WCR\W35
ssl/ssl_lib=D:\usr\sap\WCR\SYS\exe\nuc\NTAMD64\sapcrypto.dll
ssl/server_pse=D:\usr\sap\WCR\W35\sec\SAPSSLS.pse
ssl/client_pse=D:\usr\sap\WCR\W35\sec\SAPSSLC.pse
icm/server_port_1 = PROT=HTTPS, PORT=1445, TIMEOUT=900

5.

Set parameter wdisp/ssl_encrypt. This parameter determines how the SAP Web Dispatcher handles
inbound HTTP(S) requests. The following values are permitted:
0: Forward the request unencrypted.
1: Encrypt the request again with SSL, in case the request arrived via HTTPS protocol.
2: Always forward the request encrypted with SSL.

6.

Create Server PSE using the following command:

sapgenpse get_pse <additional_options> -p <PSE_Name> r <cert_req_file_name> -x <PIN>
<Distinguished_Name>
For example:
sapgenpse get_pse -p SAPSSLS.pse -x password -r D:\usr\sap\WCR\W35\sec\cert.req
"CN=hostname.domain, OU=SAPLabs, OU=SAP, O=SAP, C=US"
It is important that the CN used match the DNS name that will be used to communicate from HCI
to the CRM/ECC system.
The sapgenpse command will create two files, the actual PSE file and the certificate request for
signature.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

10

It is possible to use the STRUST to create both. More details of both methods may be found via
the link below:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a11
4084/content.htm
7.

Sign certificate request by a CA. For testing purposes in this example we are using the SSL test Server
certificate under the SAP Trust Center in the marketplace, but you can use your own CA.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

11

8.

Click in SSL Test server Certificate and then in Test Now.

9.

Enter the certificate request and click Continue.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

12

10. Copy the full string and paste into a text file

11. Import certificate request response into PSE. First, obtain the root certificate of the CA that was used to
sign your certificate. In this case we get it from the download area for the SAP SSL Test Server CA
Certificate.

12. Execute the following command to import the response into the PSE:
sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r
<RootCA_cert_file>] -x <PIN>
Below is an example
sapgenpse import_own_cert -c D:\usr\sap\WCR\W33\sec\signedcert.cer -p SAPSSLS.pse -x
password -r D:\usr\sap\WCR\W33\sec\getCert.cer
More details may be found via the following link:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

13

13. Use the following command to create a credentials file:

sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O
[<Windows_Domain>\]<user_ID>
For example:
sapgenpse seclogin -p D:\usr\sap\WCR\W33\sec\SAPSSLS.pse -x password -O
SAPServiceWCR
14. Restart the Web Dispatcher.

4.4

SAP Web Dispatcher Configuration for x.509

...

1.

Use the following command to create the server PSE:

sapgenpse get_pse <additional_options> -p <PSE_Name> r <cert_req_file_name> -x <PIN>
<Distinguished_Name>
For example:
sapgenpse get_pse -p SAPSSLC.pse -x password -r D:\usr\sap\WCR\W35\sec\clientcert.req
"CN=WCR_35, OU=SAPLabs, OU=SAP, O=SAP, C=US"
It is important to note the CN used because later on will be used as value for one of the parameter
profiles in CRM/ECC.
The previous command will create two files, the actual PSE file and the certificate request for
signature

It is possible to use the STRUST to create both. More details of both methods in the link below:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

14

2.

Sign certificate request by a CA. For testing purposes, in this example, the SSL test Server certificate
under the SAP Trust Center in the marketplace is used, but you can use your own CA.

3.

Click in SSL Test server Certificate and then in Test Now.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

15

4.

Enter the certificate request and click Continue.

5.

Copy the full string and paste into a text file.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

16

6.

Import certificate request response into PSE. Obtain the root certificate of the CA that was used to sign
your certificate, in this case we get it from the download area for the SAP SSL Test Server
CA .Certificate.

7.

Execute the following command to import the response into the PSE:
sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r
<RootCA_cert_file>] -x <PIN>
For example:
sapgenpse import_own_cert -c D:\usr\sap\WCR\W35\sec\signedclientcert.cer -p
SAPSSLC.pse -x password -r D:\usr\sap\WCR\W35\sec\getCert.cer
More details on:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm

8.

Use the following command to create a credentials file:

sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O
[<Windows_Domain>\]<user_ID>
For example:
sapgenpse seclogin -p D:\usr\sap\WCR\W33\sec\SAPSSLC.pse -x password -O
SAPServiceWCR

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

17

9.

Use the following command to import the SSL root certificate or SSL server certificate from your
CRM/ECC system. This will allow to establish a connection from the Web Dispatcher into the ICM of the
application server.
.maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [-x <PIN>]
For example:
sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\getCert.cer -p
D:\usr\sap\WCR\W35\sec\SAPSSLC.pse -x password

10.

Set the following parameters in the profile of the Web Dispatcher:

wdisp/ssl_encrypt = 1
icm/HTTPS/forward_ccert_as_header = true
icm/HTTPS/verify_client=1
wdisp/ssl_auth = 2
wdisp/ssl_cred = D:\usr\sap\WCR\W35\sec\SAPSSLC.pse

11.

Use the following command to import the root certificate used to sign the HCI x.509 certificate into the
SSL server PSE.
sapgenpse maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [x <PIN>]
For example:
sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\SAPPassportCA.cer -p SAPSSLS.pse -x
password

12.

4.5

Restart the Web Dispatcher.

Add client root certificate from WD into SSL Server

Standard

1.

Call transaction STRUST

2.

Open the SSL Server server Standard

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

18

3.

Load the root certificate used to sign the client certificate from the SAP Web Dispatcher clicking in
Import Certificate button

4.

Select the file that needs to be upload and load the file hitting enter

5.

Click in Add to Certificate List Button

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

19

6.

4.6

Click in the Save

Add Parameters to the SAP ABAP Profile

...

7.

The following two parameters must be added to the SAP ABAP profile:
icm/HTTPS/trust_client_with_issuer
icm/HTTPS/trust_client_with_subject
The subject here is the same subject that was used during the creation of the client PSE of the Web
Dispatcher:
icm/HTTPS/trust_client_with_subject = CN=WCR_15, OU=SAPLabs, OU=SAP, OU=Server,
O=SAP Trust Community, C=DE
This is the entity who signed the client PSE certificate from the Web Dispatcher, the issuer of the
certificate.
icm/HTTPS/trust_client_with_issuer = CN=Server CA, OU=Server, O=SAP Trust Community,
C=DE

8.

Restart the ABAP system.

How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure

2014 SAP AG or an SAP affiliate company. All rights reserved.

CONFIDENTIAL

20

www.sap.com/contactsap

www.sdn.sap.com/irj/sdn/howtoguides

2014 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in
any form or for any purpose without the express permission of SAP
AG. The information contained herein may be changed without
prior notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The
only warranties for SAP Group products and services are those
that are set forth in the express warranty statements
accompanying such
products and services, if any. Nothing herein should be construed
as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.