How to implement Security Using:

• SAP WebDispatcher and SSL

• Authentication into J2EE application (like EP) using X.509 client certificates
• Swap an expired SSL certificate to a new one

Background and Requirement:

The following document will describe how the NCC portal security was implemented.
This documented should be used for SAP Consulting knowledge sharing purposes
only. Do not distribute this to non-SAP parties as it contains sensitive information like
the hostnames of our architecture.

The NCC portal infrastructure consisted of 3 servers:

Tsphl834.phl.sap.corp – Database
Tsphl845.phl.sap.corp – CI + SCS + 1 J2EE Dispatcher + 2 Server Nodes
Tsphl884.phl.sap.corp - 1 J2EE Dispatcher + 2 Server Nodes

An instance of SAP Web Dispatcher was created to run on tsphl834.phl.sap.corp to

provide a single point of entry to the portal infrastructure and also load balance the traffic
to the J2EE cluster evenly.

There was also a need to provide SSL communications to the end user along with Client
Certificate authentication. Each end user would have a unique client X.509 certificate
which would be forwarded by the browser. The following is an example.
Design:

The SAP WebDispatcher would have to accept and decrypt incoming SSL requests which
have the X.509 client certificate as well. Once it receives this, the SAP WebDispatcher
would have to:
1. Extract the X.509 certificate information and add them to the HTTP header
request to be forwarded to the backend application.
2. Re-encrypt the outgoing request with another SSL certificate and forward it to the
backend application. This is would be a self-signed certificate.
3. The backend J2EE engine is configured to receive the request, decrypt it, use the
X.509 certificate information from the HTTP header variables, trust the enduser’s
identity from the client certificate’s information and authenticate them into the
application.

The SAP WebDispatcher profile file:

---------- BEGIN OF PROFILE FILE -------------------------------

# Profile generated by sapwebdisp bootstrap

#
# unique instance number
SAPSYSTEMNAME = WDD
SAPSYSTEM = 01
#

# Accesssability of Message Servers

rdisp/mshost = tsphl845.phl.sap.corp
ms/http_port = 8101
# ms/https_port=8104
# ms/server_port_0=3601

#
# SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100

# SAP Web Dispatcher Web Administration

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin

# SAP Web Dispatcher Ports

icm/server_port_0 = PROT=HTTP,PORT=80, TIMEOUT=900
icm/server_port_1 = PROT=HTTPS, PORT=443, TIMEOUT=900

# SAP Web Dispacher Security Info

# Location of SAP Crypto Lib and PSE
DIR_INSTANCE = D:\sapwebdispatcher
ssl/ssl_lib = D:\sapwebdispatcher\sapcrypto.dll
ssl/server_pse = D:\sapwebdispatcher\sec\SAPSSLS.pse
ssl/client_pse = D:\sapwebdispatcher\sec\SAPSSLC.pse

# Re-Encryption of outgoing request to Backend Application

wdisp/ssl_encrypt = 1
wdisp/ssl_auth = 2
wdisp/ssl_cred = D:\sapwebdispatcher\sec\SAPSSLC.pse
wdisp/ssl_certhost = nccportal.phl.sap.corp
#

# Description of the Resources

icm/min_threads = 20
icm/max_threads = 40
icm/max_conn = 500

# Communication Buffer
mpi/total_size_MB = 100
mpi/buffer_size = 65536

# Forwarding X.509 Digital Certificate to the backend application

icm/HTTPS/forward_ccert_as_header = true
icm/HTTPS/trust_client_with_issuer = CN=SSO_CA,O=SAP-AG,C=DE
icm/HTTPS/trust_client_with_subject = CN=SSO_CA,O=SAP-AG,C=DE
icm/HTTPS/verify_client = 1

---------- END OF PROFILE FILE -------------------------------

The text highlighted in Yellow is to accept incoming SSL requests from end-users.
The text highlighted in Green is to re-encrypt and forward the SSL request to the backend
application.
The text highlighted in Dark Yellow is read the X.509 client certificate from the
incoming request and forward it to the backend application in the request header.

The SSL Setup for SAP WebDispatcher:

Most of the SSL set up is documented on the SAP Online Help Portal. Please follow the
following link to find out more.

http://help.sap.com/saphelp_erp2005/helpdata/en/39/09a63d7af20450e10000000a114084
/frameset.htm
Steps performed:

• Created SAPSSLS.pse and a certificate request for the PSE. This certificate was
externally signed by CA and imported into the SAPSSLS.pse. Follow the link above.

• Created a certificate for SAPSSLC.pse of WebDispatcher.

D:\sapwebdispatcher\sec>sapgenpse gen_pse -p SAPSSLC.pse -x

<password>
get_pse: Distinguished name of PSE owner:
CN=nccportal.phl.sap.corp,OU=NCC,O=SAP
,L=Philadelphia,ST=Pennsylvania,C=US
PKCS#10 certificate request for
"D:\sapwebdispatcher\sec\SAPSSLC.pse":

-----BEGIN CERTIFICATE REQUEST-----

MIIBuDCCASECAQAweDELMAkGA1UEBhMCVVMxFTATBgNVBAkTDFBlb
m5zeWx2YW5p
YTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMQwwCgYDVQQKEwNTQV
AxDDAKBgNVBAsT
A05DQzEfMB0GA1UEAxMWbmNjcG9ydGFsLnBobC5zYXAuY29ycDCBnz
ANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA//hfVi6O8vFXdU/lWVHMr8R35xAcQee/n
PZqeVWv
BYJVbCzgjzIugVQKco2dZxOoruUqyBR9bE92shSxJM/
+9pXKyOGvf7yv27xHWY4W
n/Kdxi008M57gj4JWb5Vxo4C6w7ZHp0SCt+nJ5IaXWkd8vpcq4kfrjOaYtv
QJrw2
K3kCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIaLQTFY1ERCiniNap8
/D4UL9G0c
+9JP2UinWaTlUdhIUDIz7CAZ0dq/xedL6Ok5iNN0lT5J9cRn49vT044NuRG
NaYbX
D/hlDShYHQ1tK7dYmberbL7JEqtfOcTc2eCKFiXlwm9AEq5pXd/7RdDKUA
uEuee9
UcaSa2U+OsWBmtXk
-----END CERTIFICATE REQUEST-----

• Exported the certificate from SAPSSLC.pse of WebDispatcher. Export that certificate

from the Client PSE in P12 format and use that P12 certificate to import back to the
J2EE server since it will only import p12 formatted certificates.

D:\sapwebdispatcher\sec>sapgenpse export_p12 -p SAPSSLC.pse -x

<password> nccportal.p12
Please enter PKCS#12 encryption password:
For verification, please reenter password:
• Imported the nccportal.p12 certificate file into the EP’s J2EE Engine’s Keystore.

• Configured both the J2EE dispatchers to use the self signed certificates for all its
connections.
To Read X.509 certificate from incoming request to SAP WebDispatcher:

• Added the SSO root certificate to the public key list of SAPSSLS.pse of
WebDispatcher.

D:\sapwebdispatcher\sec>sapgenpse maintain_pk -p SAPSSLS.pse -a

SSO_CA.cer
Please enter PIN:
----------------------------------------------------------------------------
Subject : CN=SSO_CA, O=SAP-AG, C=DE

PKList updated (1 entries total, 1 newly added)

• Viewing the public key list of SAPSSLS.pse of webDispatcher.

D:\sapwebdispatcher\sec>sapgenpse maintain_pk -p SAPSSLS.pse -l

Please enter PIN:
*** Object <PKList> is of the type <PKList_OID> ***

1. -------------------------------------------------------------
Version: 2 (X.509v3-1996)
SubjectName: CN=SSO_CA, O=SAP-AG, C=DE
IssuerName: CN=SSO_CA, O=SAP-AG, C=DE
SerialNumber: 00
Validity - NotBefore: Mon May 04 08:59:33 1998
(980504125933Z)
NotAfter: Mon May 03 08:59:33 2010 (100503125933Z)
Public Key Fingerprint: 0437 9264 5918 EB82 F7A2 A8C2 D5F2
A32F
SubjectKey: Algorithm RSA (OID 1.2.840.113549.1.1.1),
NULL
Certificate extensions:
AuthorityKeyIdentifier:
Key Identifier: 1397 77DB 5819 F071 802F 37BC 30CF 36BC
4838 D2A0
Subject Key Identifier: 1397 77DB 5819 F071 802F 37BC 30CF
36BC 48
38 D2A0
Key Usage: (CRITICAL) digitalSignature
nonRepudiation
keyEncipherment dataEncipherment keyCertSign cRLSign
Basic Constraints: allowed to act as a CA !

• Configure the backend J2EE engine as described in the following link.

http://help.sap.com/saphelp_nw04/helpdata/en/62/881e3e3986f701e10000000a114084/fr
ameset.htm

The following screenshots about the J2EE configurations will provide you more
information:
Replacing expired SSL Cert:

The current SSL certificate in SAPSSLS.pse was the test SSL certificate from the CA
which was valid for only 2 months. A CSR was created from SAPSSLS2.pse for which a
valid SSL cert valid for 1 year was received. The following steps describe how the 2 certs
were exchanged.

D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse -c
D:\sapwebdispatcher\sec\Validcert.cer -x <password>
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath,
need
certificate of CA : "EMAIL=certificate@trustcenter.de, OU=TC
TrustCenter Class 2 CA,
O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg,
SP=Hamburg,
C=DE"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath,
need
certificate of CA : "EMAIL=certificate@trustcenter.de, OU=TC
TrustCenter Class 2
CA, O=TC TrustCenter for Security in Data Networks GmbH,
L=Hamburg, SP=Hamburg,
C=DE
"

The above result determined that the root certificate was also needed to be imported to
satisfy the certificate chain. Hence, got CA certs from www.trustcenter.de -
TC_RootServer_DER_Class2.cer and TC_RootServer_PEM_Class2.cer for server
carriers and tried importing them into SAPSSLS2. The results are:

D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse -c
D:\sapwebdispatcher\sec\Validcert.cer –r
D:\NCC_Certs\TC_RootServer_PEM_Class2.cer -x <password>
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (9/0x0009) af_verify_Certificates
failed
ERROR in ssf_install_certs_into_pse: (9/0x0009) af_verify_Certificates
failed
ERROR in af_verify_Certificates: (12851/0x3233) Verification of one
certificate
of path failed because there are no basic constraints
ERROR in check_basicConstraints: (12851/0x3233) Verification of one
certificate
of path failed because there are no basic constraints

AND

D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse –c
D:\sapwebdispatcher\sec\Validcert.cer –r
D:\NCC_Certs\TC_RootServer_DER_Class2.cer -x <password>
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (9/0x0009) af_verify_Certificates
failed
ERROR in ssf_install_certs_into_pse: (9/0x0009) af_verify_Certificates
failed
ERROR in af_verify_Certificates: (12851/0x3233) Verification of one
certificate
of path failed because there are no basic constraints
ERROR in check_basicConstraints: (12851/0x3233) Verification of one
Certificate of path failed because there are no basic constraints

Decided to download the certificate from IE 6.0. Went to IE 6.0 and exported the
TrustCenter Root Cert.
IE -> Tools -> Internet Options -> Content -> Certificates -> Trusted Root
Certificate Authorities -> TC TrustCenter Class 2 CA -> Export -> Save as
Base 64 encoded (.CER) file.

D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse -c
D:\sapwebdispatcher\sec\Validcert.cer –r
D:\NCC_Certs\FromBrowser.cer -x <password>
CA-Response successfully imported into PSE
"D:\sapwebdispatcher\sec\SAPSSLS2.pse
"

The above command was completed successfully. Renamed current SAPSSLS.pse to

SAPSSLS.pse.old. Renamed SAPSSL2.pse to SAPSSLS.pse. Reason to do this was that
the cred_v2 file had credentials for only SAPSSLS.pse file and not SAPSSLs2.pse.

Restarted WebDispatcher. Everything worked fine. Logs did not complain about
initializing the SAPSSLS.pse. Log onto EP and double-click the SSL lock icon in the
bottom part of IE. You can check the “Certification Path” tab and see that the certificate
chain is now completely implemented as shown below.
But client authentication did not work. Had to add the SSO-CA.cer to the PK
List of the "new" SAPSSLS.pse.

D:\sapwebdispatcher\sec>sapgenpse maintain_pk -p SAPSSLS.pse -a

SSO_CA.cer
Please enter PIN:
----------------------------------------------------------------------------
Subject : CN=SSO_CA, O=SAP-AG, C=DE

PKList updated (1 entries total, 1 newly added)

Restarted WebDispatcher. Client Authentication now worked fine.