Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to setup the SAP Web Dispatcher with SSL Re-encryption?

cris_hansen
Advisor
Advisor
‎04-06-2016 10:27 PM

There are three different scenarios involving the SAP Web Dispatcher (WDP) and HTTPS access: SSL Termination (in the WDP), SSL Re-encryption and End to End SSL. This blog will present the second scenario.


Prerequisites




  • SAP Web Dispatcher 7.20 or higher

  • SAPCRYPTOLIB 5.5.5 patch level 24 or higher (in this blog pl 32 is used)


Profile parameters


The standard SSL configuration demands the following three parameters:


 


ssl/ssl_lib     = <path>\sapcrypto.dll


ssl/server_pse  = <path>\SAPSSLS.pse


ssl/client_pse  = <path>\SAPSSLC.pse


As the WDP 7.20 or higher can connect to different systems, the following parameters were set:


wdisp/system_0 = SID=AAA, MSHOST=<FQDN1>, MSPORT=8100, SRCSRV=webdispatcher.foo.bar:10000


wdisp/system_1 = SID=BBB, MSHOST=<FQDN2>, MSPORT=8171, SRCSRV=webdispatcher.foo.bar:10001


The server ports also must be defined:


icm/server_port_0 = PROT=HTTP,PORT=9999


icm/server_port_1 = PROT=HTTPS,PORT=10000


icm/server_port_2 = PROT=HTTPS,PORT=10001


 


As the WDP will perform a re-encryption of the data, the parameter below must be set:


wdisp/ssl_encrypt = 1


At last, but not least, for testing purposes, the HTML dump into the trace will be enabled, along with a trace level 3. Important: the trace files will be HUGE! The parameters below should be set only for a quick test or for error analysis. The default trace level (i.e. 1) must be used in productive systems (and for security matters, the HTML dump should not be active).


icm/trace_secured_data = 1


rdisp/TRACE = 3


 


Checking the configuration


As soon as the profile file is saved, one can test the configuration by running:


 


sapwebdisp pf=sapwebdisp.pfl -checkconfig


No error message is expected (the result of the -checkconfig is the same as shown here)


The WDP is now ready to work!


 


 


Analyzing the scenario and the dev_webdisp trace file


Similar to other scenarios, the trace level 3 recorded in the dev_webdisp has plenty information. From a test calling a giving internet service (WEBGUI, for example) it is possible to see the moment the request reached the WDP:


 


"...


[Thr 6876] IcmWorkerThread: worker 2 got the semaphore


[Thr 6876] REQ TRACE BEGIN: 0/18/1


[Thr 6876] REQUEST:


    Type: ACCEPT_CONNECTION    Index = 2


[Thr 6876] CONNECTION (id=0/18):


    used: 1, type: default, role: Server(1), stateful: 0


    NI_HDL: 147, protocol: HTTPS(2)


    local host:  <WDP IP>:10000 ()


    remote host: <Client IP>:53691 ()


    status: NOP


    connect time: xx.zz.yyyy aa:bb:cc


    MPI request:        <0>      MPI response:        <0>  


request_buf_size:   0        response_buf_size:   0    


request_buf_used:   0        response_buf_used:   0    


request_buf_offset: 0 response_buf_offset: 0    


..."


 


Next it is possible to check the SSL handshake between the client and the server (WDP):


"...


[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=0000000002C5C6E0, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))


[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K


[Thr 6876]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"


[Thr 6876]     out: sssl_hdl = 0000000002D7D810


[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)


[Thr 6876] NiIBlockMode: set blockmode for hdl 147 TRUE


[Thr 6876]   SSL NI-sock: local=<WDP IP>:10000 peer=<Client IP>:53691


[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)==SAP_O_K


[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7D810)


[Thr 6876] Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:SSL_RSA_EXPORT_WITH_RC4_40_MD5"


[Thr 6876] Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_MD5"


[Thr 6876]   No Client Certificate


[Thr 6876]   New session (TLSv1.0)


[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53EE4, buf_len= 32 }


[Thr 6876]    00000: 5f d1 b3 37 34 1f 33 fc  84 a5 d8 c3 01 4f fe b1   _..74.3. .....O..


[Thr 6876] 00010: 33 99 af e4 20 0f 1a 88  77 24 e2 2f 4a d8 64 c6   3... ... w$./J.d.


[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7D810)==SAP_O_K


[Thr 6876] status = "new SSL session, NO client cert"


..."


 


The request is then read from the connection:


"...


[Thr 6876] IcmReadFromConn(id=0/18): read 443 bytes, 1 readops (timeout 0)


[Thr 6876] Address Offset  IcmReadFromConn received


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|


[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|


[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a416363 6570743a |TTP/1.1..Accept:|


[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a4163 63657074 2d4c616e | */*..Accept-Lan|


..."


The WDP will reach the web application server ABAP via HTTPS:


"...


[Thr 6876] HttpPortTableMatchPort: Port 0, webdispatcher.foo.bar:10000 (<WDP IP>:10000) matches request


[Thr 6876] ICR: IcrFindTargetSystem(0000000002D614F0, '/sap/bc/gui/sap/its/webgui' -> 0


[Thr 6876] HttpGetRouteTargetSystem: SID='AAA'


[Thr 6876] ICT: IctLookupPathTable() -> 0


[Thr 6876] HTR: found stack ABAP for URL /sap/bc/gui/sap/its/webgui


[Thr 6876] HTR: routing destination type = ICF/ABAP .


[Thr 6876] HTR: No esid found in request


[Thr 6876] HTR: HtrIExtractSessionID -> '' 0


[Thr 6876] HTR: stateless request (no valid session ID found) or initial request for stored session id


[Thr 6876] ICR: IcrIGetMinLoadServer: server 'HOST_AAA_00'1 delta=400 load=0/0valid=1 resp=1 capacity=10


[Thr 6876] ICR: IcrIFindMatchingPort for prot=1 stack=1 vhost=-1


[Thr 6876] ICR: IcrIFindMatchingPort: compare with 0 0 8000 10


[Thr 6876] ICR: IcrIFindMatchingPort: compare with 1 0 443 10


[Thr 6876] ICR: IcrIFindMatchingPort: found matching port: prot=1 vhost=0 port=443 f=10


[Thr 6876] ICR: IcrIGetMinLoadServer: near-zero load #0: HOST_AAA_00


[Thr 6876] ICR: IcrAttachToServer: next destination server 'HOST_AAA_00'1 10 1 0 port:443/1/0


..."


 


Since the connection to the server uses HTTPS, a new SSL handshake is necessary:


"...


[Thr 6876] NiHLGetNodeAddr: found hostname '<FQDN WAS>' in cache


[Thr 6876] NiIGetNodeAddr: hostname '<FQDN WAS>' = addr <WAS IP>


[Thr 6876] NiIGetServNo: servicename '443' = port 443


[Thr 6876] NiICreateHandle: hdl 153 state NI_INITIAL_CON


[Thr 6876] NiIInitSocket: set default settings for new hdl 153/sock 32916 (I4; ST)


[Thr 6876] NiIBlockMode: set blockmode for hdl 153 FALSE


[Thr 6876] NiIConnectSocket: hdl 153 is connecting to <WAS IP>:443 (timeout=5000)


[Thr 6876] SiPeekPendConn: connection of sock 32916 established


[Thr 6876] NiICheckPendConnection: connection of hdl 153 to <WAS IP>:443 established


[Thr 6876] NiIConnect: hdl 153 took local address <WDP IP>:53692


[Thr 6876] NiIConnect: state of hdl 153 NI_CONNECTED


[Thr 6876] IcmConnPoolConnect: Connection to host: <FQDN WAS>, service: 443 established (nihdl=153)


[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=00000000026CC6E8, role=1 (CLIENT), auth_type=0 (NO_CLIENT_CERT))


[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K


[Thr 6876]      in: args = "role=3 (ANONYMOUS-CLIENT), auth_type=0 (NO_CLIENT_CERT)"


[Thr 6876]     out: sssl_hdl = 0000000002D7DA30


[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)


[Thr 6876] NiIBlockMode: set blockmode for hdl 153 TRUE


[Thr 6876]   SSL NI-sock: local=<WDP IP>:53692 peer=<WAS IP>:443


[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)==SAP_O_K


[Thr 6876] ->> SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30, &hostname=0000000002D4FE20)


[Thr 6876] <<- SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30)==SAP_O_K


[Thr 6876]      in: hostname = "<FQDN WAS>"


[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7DA30)


[Thr 6876] SapISSLUseSessionCache(): Creating NEW session (0 cached)


[Thr 6876] SecudeSSL_SessionStart(): created new SSL session (TLSv1.0)


[Thr 6876]   Server Certificate available (FCPath-Len= 0)


[Thr 6876]   Server's List of trusted CA DNames (from cert-request message):


[Thr 6876]     #1  "CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??"


[Thr 6876]     #2  "CN=kkkkkkkkkkkk, O=wwwwwwwwww, C=??"


[Thr 6876] secudessl_AddSSL2Cache(): Creating new SSSL_CACHE entry


[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53F64, buf_len= 32 }


[Thr 6876] 00000: 5e 4a f0 f1 1d 0e 94 c8  c8 37 d0 c5 66 4b c1 e0   ^J...... .7..fK..


[Thr 6876] 00010: 80 26 ee b5 b1 0e 36 bb  92 45 10 c9 3a 8d ad e4   .&....6. .E..:...


...


[Thr 6876]   Subject DN: CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??


[Thr 6876] Issuer  DN: CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??


[Thr 6876]   Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA


[Thr 6876] MatchTargetName("<FQDN WAS>", CN="<FQDN WAS>") == EXACT match


[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7DA30)==SAP_O_K


[Thr 6876] status = "new SSL session"


[Thr 6876] Server DN = " CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??"


[Thr 6876] IcmConnPoolNewEntry: created new entry 000000000B8A0930[0] for pool 000000000B809610 (nihdl=153, ssl=0000000002D7DA30)


[Thr 6876] ICR: IcrAttachToServer('!DIAGS' 1 2 4100 1 port:443/1/0) 0-> 0


[Thr 6876] HTR: routing to destination 'HOST_AAA_00' (balanceable=0)


[Thr 6876] server triggered


[Thr 6876]    Pool Entry 000000000B8A0930:


[Thr 6876]    NI: 153, SSL: 0000000002D7DA30, allocated: 1, inuse: 1, desc: 000000000B8096B0


..."


 


A few seconds later the WDP sends the request to the application server:


"...


[Thr 6876] local host: <WDP IP>:53692


[Thr 6876] remote host: <WAS IP>:443


[Thr 6876] HTR: forwarding buffer to server (443)


[Thr 6876] Address Offset  Send to AppServer via net:


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|


[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|


[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a616363 6570743a |TTP/1.1..accept:|


[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a6163 63657074 2d6c616e | */*..accept-lan|


..."


 


A response is received from the application server:


"...


[Thr 6876] Address Offset  IcmReadFromPartner received


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|


[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|


[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|


[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|


[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|


[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|


..."


The response is then re-encrypted and sent to the web browser:


"...


[Thr 6876] IcmPlCheckRetVal: Next status: READ_REQUEST(1)


[Thr 6876] IcmHandleNetWrite(id=0/18): HandleServData returned: 1


[Thr 6876] Address    Offset  IcmWriteToConn:


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|


[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|


[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|


[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|


[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|


[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|


..."


 


Finally, the thread is free to wait a new request:


"...


[Thr 6876] IcmWriteToConn(id=0/18): wrote data to partner (len = 5243)


[Thr 6876] IcmNetBufFree: free netbuf: 0000000000759C10 out of 1 used


[Thr 6876] MPI<5>0#4 DiscardOutbuf 0 0 0 1a5fa0 0 0 -> 0000000003F75FF0 MPI_OK


[Thr 6876] NiWakeupExec: send wakeup signal to 49627->64998 (sock 33032)


[Thr 6876] IcmConnRollOut: connection (id=0/18) rolled out: reason:1 role:1 timeout:60


[Thr 6876] CONNECTION (id=0/18):


    used: 1, type: default, role: Server(1), stateful: 0


    NI_HDL: 147, protocol: HTTPS(2)


    local host:  <WDP IP>:10000 ()


    remote host: <Client IP>:53691 ()


    status: READ_REQUEST


    connect time: xx.zz.yyyy aa:bb:cc


    MPI request:        <4>      MPI response:        <5>  


request_buf_size:   0        response_buf_size:   0    


request_buf_used:   0        response_buf_used:   0    


request_buf_offset: 0 response_buf_offset: 0    


[Thr 6876] IcmWorkerThread: SSL Session rolled out


[Thr 6876] REQ TRACE END: 0/18/1

[Thr 6876] IcmWorkerThread: Thread 2: Waiting for event


..."


 


If the parameter "icm/trace_secured_data = 1" is not set, it is not possible to see the HTML content. The following log entry appears:


"…


BINDUMP of content denied


…"


Stay tuned for my next blog about End-to-End SSL in the SAP Web Dispatcher!



5 Comments
Labels in this area
Popular Blog Posts