Beruflich Dokumente
Kultur Dokumente
SAP NetWeaver
Document Version: 1.0 - 2014-02-02
Document History
Document Version
Description
1.0
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Document History
Table of Contents
1
Business Scenario.................................................................................................................................. 4
Prerequisites .......................................................................................................................................... 4
Step-by-Step Procedure........................................................................................................................ 5
4.1
4.2
4.3
4.4
4.5
4.6
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Table of Contents
Business Scenario
This document explains the required steps to configure SAP Web Dispatcher as reverse proxy for an onpremise CRM or ECC system for integration with SAP Cloud for Customers using HANA Cloud Integration.
Background Information
This scenario covers HTTPS communication from HCI all the way to CRM or ECC with SSL termination in the
SAP Web Dispatcher.This configuration is based on the steps to enable x.509 authentication, which is required
when HANA Cloud Integration is used as integration layer. In this case we use a Windows server to illustrate
the process, but the steps should be very similar in other operating systems systems.
Note: There could be other parameters involved for proper operation of SSL configuration and Web
Dispatcher, but this How-to document describes the minimum required for this scenario to work.
Prerequisites
The chief prerequisite is that the SAP CRM or ECC systems are already configured with SSL.
These tasks should be performed by a qualified SAP Basis Administrator, with a solid conceptual
understanding of SSL and certificate-based encryption concepts.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Business Scenario
CONFIDENTIAL
Step-by-Step Procedure
This scenario covers and HTTPS communication from HCI all the way to CRM with SSL termination in the SAP
Web Dispatcher.
This configuration is based in the required steps to enable x.509 authentication required when HANA Cloud
Integration is used as integration layer. In this case we use a Windows server, but the steps should be very
similar for other OS systems.
4.1
...
There are multiple ways to install the SAP Web Dispatcher but in this case we will use the SAPINST tool, it is
also possible to use the SWPM or do manual installation.
1.
Start SAPINST in the host where SAP Web Dispatcher will be installed.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
2.
3.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
4.
5.
6.
Enter the hostname and port number of the message server of the CRM or ECC system.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
7.
8.
9.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
4.2
...
SAP note 908097 exaplains the process to update the kernel and the different release convinations that are
supported.
4.3
...
1.
Download the latest SAP Cryptographic tools. This package is avaialable in the SAP Marketplace under
SWDC.
2.
Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel. This file include the
sapgenpse and the library file. For example:
sapgenpse.exe
sapcrypto.dll
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
3.
Copy the file ticket to the sec directory under the Web Dispatcher instance directory.
4.
Add the following SSL relevant parameters to the Web Dispatcher profile:
DIR_INSTANCE
ssl/ssl_lib
ssl/server_pse
ssl/client_pse
icm/server_port_1
For example:
DIR_INSTANCE = D:\usr\sap\WCR\W35
ssl/ssl_lib=D:\usr\sap\WCR\SYS\exe\nuc\NTAMD64\sapcrypto.dll
ssl/server_pse=D:\usr\sap\WCR\W35\sec\SAPSSLS.pse
ssl/client_pse=D:\usr\sap\WCR\W35\sec\SAPSSLC.pse
icm/server_port_1 = PROT=HTTPS, PORT=1445, TIMEOUT=900
5.
Set parameter wdisp/ssl_encrypt. This parameter determines how the SAP Web Dispatcher handles
inbound HTTP(S) requests. The following values are permitted:
0: Forward the request unencrypted.
1: Encrypt the request again with SSL, in case the request arrived via HTTPS protocol.
2: Always forward the request encrypted with SSL.
6.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
10
It is possible to use the STRUST to create both. More details of both methods may be found via
the link below:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a11
4084/content.htm
7.
Sign certificate request by a CA. For testing purposes in this example we are using the SSL test Server
certificate under the SAP Trust Center in the marketplace, but you can use your own CA.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
11
8.
9.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
12
10. Copy the full string and paste into a text file
11. Import certificate request response into PSE. First, obtain the root certificate of the CA that was used to
sign your certificate. In this case we get it from the download area for the SAP SSL Test Server CA
Certificate.
12. Execute the following command to import the response into the PSE:
sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r
<RootCA_cert_file>] -x <PIN>
Below is an example
sapgenpse import_own_cert -c D:\usr\sap\WCR\W33\sec\signedcert.cer -p SAPSSLS.pse -x
password -r D:\usr\sap\WCR\W33\sec\getCert.cer
More details may be found via the following link:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
13
4.4
...
1.
It is possible to use the STRUST to create both. More details of both methods in the link below:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
14
2.
Sign certificate request by a CA. For testing purposes, in this example, the SSL test Server certificate
under the SAP Trust Center in the marketplace is used, but you can use your own CA.
3.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
15
4.
5.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
16
6.
Import certificate request response into PSE. Obtain the root certificate of the CA that was used to sign
your certificate, in this case we get it from the download area for the SAP SSL Test Server
CA .Certificate.
7.
Execute the following command to import the response into the PSE:
sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r
<RootCA_cert_file>] -x <PIN>
For example:
sapgenpse import_own_cert -c D:\usr\sap\WCR\W35\sec\signedclientcert.cer -p
SAPSSLC.pse -x password -r D:\usr\sap\WCR\W35\sec\getCert.cer
More details on:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm
8.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
17
9.
Use the following command to import the SSL root certificate or SSL server certificate from your
CRM/ECC system. This will allow to establish a connection from the Web Dispatcher into the ICM of the
application server.
.maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [-x <PIN>]
For example:
sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\getCert.cer -p
D:\usr\sap\WCR\W35\sec\SAPSSLC.pse -x password
10.
11.
Use the following command to import the root certificate used to sign the HCI x.509 certificate into the
SSL server PSE.
sapgenpse maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [x <PIN>]
For example:
sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\SAPPassportCA.cer -p SAPSSLS.pse -x
password
12.
4.5
1.
2.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
18
3.
Load the root certificate used to sign the client certificate from the SAP Web Dispatcher clicking in
Import Certificate button
4.
Select the file that needs to be upload and load the file hitting enter
5.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
19
6.
4.6
...
7.
The following two parameters must be added to the SAP ABAP profile:
icm/HTTPS/trust_client_with_issuer
icm/HTTPS/trust_client_with_subject
The subject here is the same subject that was used during the creation of the client PSE of the Web
Dispatcher:
icm/HTTPS/trust_client_with_subject = CN=WCR_15, OU=SAPLabs, OU=SAP, OU=Server,
O=SAP Trust Community, C=DE
This is the entity who signed the client PSE certificate from the Web Dispatcher, the issuer of the
certificate.
icm/HTTPS/trust_client_with_issuer = CN=Server CA, OU=Server, O=SAP Trust Community,
C=DE
8.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Step-by-Step Procedure
CONFIDENTIAL
20
www.sap.com/contactsap
www.sdn.sap.com/irj/sdn/howtoguides