15 Replies Latest reply: Mar 11, 2012 7:52 AM by Mauricio Wecker RSS

Web Dispatcher and SSL

Francisco Pérez
Currently Being Moderated

Hi Experts

 

I already configured the SAP Web Dispatcher due to a performance reasons (load balancing), but something is wrong with the SSL configuration. The problem seems to be the Entrust certificates who is our CA, because the dispatcher sends an error when client try to access.

 

This is the error:

 

*Thr 9388] >> Begin of Secude-SSL Errorstack >>

Thr 9388 ERROR in ssl3_get_server_certificate: (9/0x0009) the

verification of the server's certificate chain failed*

 

*Thr 9388 ERROR in af_verify_Certificates: (27/0x001b) Chain of

certificates is incomplete : "CN=localhost, OU=ssl-enabled-server,

O=app-server"*

 

*Thr 9388 ERROR in get_path: (27/0x001b) Found root certificate of

<CN=localhost, OU=ssl-enabled-server, O=app-server> which does not fit

the given PKRoot*

 

It seems that webdispatcher does not identify the Entrust certifu00EDcate.

 

Steps done for my configuration are:

 

1.- Configuring the Use of SSL on the AS Java -> Add new SSL Access on port 50443 -> Testing the URL https://FQN:50443/startPage = Sucesfully

 

2.- Configuring the SAP Web Dispatcher to Support SSL -> Install the SAP Cryptographic Library on the SAP Web Dispatcher.-> set the LD_LIBRARY_PATH and SECUDIR variables.

 

3.- Create the SAP Web Dispatcher's PSE(s) and certificate request(s).

 

sapgenpse get_pse -p SAPSSLS.pse -s 2048 -x abcpin -r wdispbpp.req "CN= bpm.consupago.com, OU=Infrastructure, O=Consupago S.A. de C.V. SFOL, L=Mexico D.F., C='MX" OK

 

4.-Send the certificate request(s) to a CA to be signed -> Sended the certificate request to Entrust CA. -> Entrust CA return

Certificate: SapWebDispacher.cer

 

5.- Import the certificate request response(s) into the PSE.-> Import with root and Intermediate certificates

 

N:\usr\sap\sapwebdisp>sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" u2013r "L1CIntermediate.cer" -p SAPSSLS.pse -x abcpin CA-Response successfully imported into PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

 

6.- Create credentials for the SAP Web Dispatcher

 

N:\usr\sap\sapwebdisp>sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O --CONSUPAGO\b

ppadm-- running seclogin with USER="bppadm" creating credentials for user CONSUPAGO\bppadm"... Adjusting credentials and PSE ACLs to include "CONSUPAGO\bppadm"... Oh, you supplied your own name explicitly ... ok.

N:\usr\sap\sapwebdisp\sec\cred_v2 ... ok. N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse ... ok. Added SSO-credentials for PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse" "CN=bpm.consupago.com, OU=Infrastructure, O="Consupago, S.A. de C.V. SFOL", L="Mexico, D.F.", C=MX"

 

Set the profile parameters: according to the connection type HTTPS u2013 HTTPS

 

SAPSYSTEM = 88

DIR_EXECUTABLE = .

DIR_INSTANCE = N:\usr\sap\sapwebdisp

ssl/ssl_lib = N:\usr\sap\sapwebdisp\sapcrypto.dll

ssl/server_pse = N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse

rdisp/mshost = clussapbpm

ms/http_port = 8101

ms/https_port = 443

wdisp/auto_refresh = 25

wdisp/max_servers = 100

wdisp/shm_attach_mode = 6

icm/max_conn = 500

icm/max_sockets = 1024

icm/req_queue_len = 500

icm/min_threads = 10

icm/max_threads = 50

mpi/total_size_MB = 80

wdisp/HTTP/max_pooled_con = 500

wdisp/HTTPS/max_pooled_con = 500

icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=900

icm/server_port_1 = PROT=HTTP, PORT=80

icm/HTTPS/verify_client = 0

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt

wdisp/ssl_encrypt = 2

wdisp/ssl_certhost = clussapbpm

 

Does anybody can help me with this error ?

Best Regards !!!

  • Re: Web Dispatcher and SSL
    Olivier CHRETIEN
    Currently Being Moderated

    Hi,

     

    I understand that you have used a self signed certificate on the backend Java system.

    I understand also that you use HTTPS between the web dispatcher and backend system.

    Did you import this self-signed certificate in the PSE of the web dispatcher ?

     

     

    Regards,

    Olivier

    • Re: Web Dispatcher and SSL
      Francisco Pérez
      Currently Being Moderated

      Hi Olivier,

       

      I'm not totally sure if I understood you, but do you refer to point 5 when I import the certificates into Web Dispatcher PSE ?

       

      5.- Import the certificate request response(s) into the PSE.-> Import with root and Intermediate certificates

       

      N:\usr\sap\sapwebdisp>sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" u2013r "L1CIntermediate.cer" -p SAPSSLS.pse -x abcpin CA-Response successfully imported into PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

       

      Best Regards u00A1u00A1u00A1

      • Re: Web Dispatcher and SSL
        Olivier CHRETIEN
        Currently Being Moderated

        Hi Francisco,

         

        If your configuration is like this :

         

        browser https> Web Dispatcher https> Backend system

         

        The web dispatcher opens a new SSL connection  to the backend system.

        If the backend system uses a self signed certiificate, you need to import this certificate in the PSE of the web dispatcher.

         

        Regards,

        Olivier

        • Re: Web Dispatcher and SSL
          Francisco Pérez
          Currently Being Moderated

          Hi Olivier,

           

          Yes, that is my configuration. So then, from what I understand I need to import the certificate of my backend system (Java System CE 7.20) in the PSE of the web dispatcher. Is this certificate is the one called "ssl-credentials-cert"? or where do I can find it?

           

          Regards ¡

           

          • Re: Web Dispatcher and SSL
            Olivier CHRETIEN
            Currently Being Moderated

            Hi again,

             

            Check the documentation : [http://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/3db10a19341067e10000000a42189c/content.htm]

             

            In fact, I was wrong  you need to create a second PSE for your web dispatcher. You already have a SSL server PSE and you need now to create a SSL client PSE.

             

            Then :

             

            4.For outgoing connections that use SSL, import the CA root certificate for the CA that issued the back-end application server its SSL server certificate into the SAP Web Dispatcher's SSL client PSE.

             

            For a self signed certificate, the certificate is its own CA, so you have to import the self signed certificate inside the SSL client PSE.

            By the way, for these kind of tasks I always use transaction STRUST (fram any abap system) that I find much easier to use thant the command line toool sapgenpse.exe.

             

            Regards,

            Olivier

            • Re: Web Dispatcher and SSL
              Francisco Pérez
              Currently Being Moderated

              Hi Olivier,

               

              I'm really confused, I followed the guide you mention during my configuration, but I had no PSE client for the web dispatcher (sapsslc.pse), so I did not follow step 4 of the guide.

               

              I am configuring the Web dispatcher for load balancing between java portals (AS JAVA CI - AS JAVA Application Server), can you help me with two questions?

               

              Can I create the SSL client PSE from the transaction STRUST from any ABAP instance like SOLMAN ? or How can I create that ?

               

              Regards ¡¡¡

               

              • Re: Web Dispatcher and SSL
                Olivier CHRETIEN
                Currently Being Moderated

                Hi Francisco,

                 

                 

                Can I create the SSL client PSE from the transaction STRUST from any ABAP instance like SOLMAN ? or How can I create that ?

                 

                 

                 

                Yes, you can.

                The trick for using STRUST is to right click on the "File" entry in the left part and to choose "create".

                You will get the "Create PSE" popup where you can enter the necessary information. You can click on the "pencil" button to get a more traditional entry of the DN, Algorithm and key length.

                 

                Regards,

                Olivier

                • Re: Web Dispatcher and SSL
                  Francisco Pérez
                  Currently Being Moderated

                  Hi again Oliver,

                   

                  I just create the PSE client file through SOLMAN but I get an error when I try to import the CA certificate into SAPSSLC.pse:

                   

                  sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" -r "L1CIntermediate.cer" -p SAPSSLC.pse -x abcpin

                   

                  import_own_cert: Installation of certificate failed

                  ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your public key found

                   

                  As for the PSE file server (SAPSSLS.pse) I had to create a key length 2048KB as a condition of ENTRUST, the SOLMAN can not create it for more than 1024KB, I had to create through "sapgenpse" as follows:

                   

                  sapgenpse get_pse -p SAPSSLC.pse -s 2048 -x abcpin "CN=bpm.consupago.com, OU=Infrastructure, --O=Consupago S.A. de C.V. SFOL, L=Mexico D.F., C=MX"   OK  But appears the same error

                   

                  This error only appears with the file SAPSSLC.pse, if I import the certificate on file SAPSSLS.pse done correctly. I read in forums that the error may be is the PSE file that I just created but i don't know where the error is.

                   

                  More Info:

                   

                  sapgenpse.exe get_my_name

                  SSO for USER "xxxxx"

                    with PSE file "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

                  Subject : CN=bpm.xxxxxxxx.com, OU=Infrastructure, O="Cxxxxxx, S.A. de C.V. SFOL", L="Mexico, D.F.", C=MX

                  Issuer  : CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.",

                  OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US

                  Serialno: 4C:1C:18:F8

                  KeyInfo : RSA, 2048-bit

                  Validity  -  NotBefore:   Tue Jan 31 13:04:29 2012 (120131190429Z)

                                NotAfter:   Sat Aug 29 01:01:05 2015 (150829060105Z)

                   

                  Regards u00A1u00A1u00A1

                  • Re: Web Dispatcher and SSL
                    Olivier CHRETIEN
                    Currently Being Moderated

                    Hi Francisco,

                     

                    Why don't you use also STRUST to import the CA certifcate ?

                    What you describe is exactly why I never use sapgenpse. STRUST is so much easier !

                     

                    PS: I can perfectly choose a 2048 key length when using STRUST. And I had STRUST generated certiifcates signed from Verisign with no problem.

                     

                    Regards,

                    Olivier

                    • Re: Web Dispatcher and SSL
                      Francisco Pérez
                      Currently Being Moderated

                      Hi Olivier,

                       

                      You were right, it's just that my SOLMAN system does not let me create PSA files with RSA algorithm, only DSA algorithm , now i try it with my CRM and allowed me to do it. I also saw that when importing the certificate through SAPGENPSE not done properly, and when I look the PSE files through CRM this files did not had any certificate. So then , i had to import the Entrurst certificates again  for the PSE file (SAPSSLS.pse) via STRUST.

                       

                      Now I have the PSE files and services start correctly

                       

                      profile param "ssl/server_pse" = "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

                      [Thr 11156]            resulting Filename = "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

                      [Thr 11156] =  secudessl_Create_SSL_CTX():  PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLA.pse" not found,

                      [Thr 11156] =      using PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLC.pse" as fallback

                      [Thr 11156] = Success -- SapCryptoLib SSL ready!

                      [Thr 11156] =================================================

                      +[Thr 11156] +

                      [Thr 11156] Started service PORT=443,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0

                      [Thr 11156] SSL settings: verify_client: 0, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

                       

                      But when I enter my URL https://clussapbpm.consupago.com/startPage  sends me an error:

                       

                      500 Dispatching Error

                      Error: -26

                      Version: 7200

                      Component: HTTP_ROUTE

                      Date/Time: Fri Feb 24 13:31:55 2012

                      Module: http_route.c

                      Line: 3360

                      Server: CSPXXXX01X__88

                      Error Tag:

                      Detail: no valid destination server available for '!ALL' rc=7

                       

                      Thanks in advance

                      Regards u00A1u00A1u00A1

                       

                      Edited by: Francisco Daniel Perez Aguilar on Feb 24, 2012 8:40 PM

                      • Re: Web Dispatcher and SSL
                        Olivier CHRETIEN
                        Currently Being Moderated

                        Hi Francisco,

                         

                        Usually, you get this error message when your web dispatcher is not connected to the message server of the back office system. Check the web dispatcher trace file after increasing the trace level.

                         

                         

                        Regards,

                        Olivier

                      • Re: Web Dispatcher and SSL
                        Mauricio Wecker
                        Currently Being Moderated

                        Hi Francisco,

                         

                        The error that you mentioned is thrown because the URL that you tried to access doesn't have a valid mapping into the backends system where the Web Dispatcher is connected.

                         

                        Does this /startPage really exist in the backend application servers?

                         

                        Can you access directly into the application servers this URL or you are just not able via Web Dispatcher?

                         

                        Cheers,

                        Maurício

                         

                        • Re: Web Dispatcher and SSL
                          Francisco Pérez
                          Currently Being Moderated

                          Hi Olivier and Mauricio,

                           

                          I've increased the trace level for the log of the web dispatcher and saw that the connection to the message server is OK, otherwise I found an error indicating that there is no mapping between backend systems just as you said Mauricio.

                           

                          Error found:

                           

                          [Thr 9584] NiICheckPendConnection: connection of hdl 159 to 192.168.201.xxx:50443 established

                          [Thr 9584] NiIConnect: hdl 159 took local address 192.168.201.xxx:52070

                          [Thr 9584] NiIConnect: state of hdl 159 NI_CONNECTED

                          [Thr 9584] IcmConnPoolConnect: Connection to host: CSPSADBPM02.xxxxxxxx.com, service: 50443 established (nihdl=159)

                          [Thr 9584] <<- SapSSLSessionInit()==SAP_O_K

                          [Thr 9584]      in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

                          [Thr 9584]  SSL NI-sock: local=192.168.201.xxx:52070  peer=192.168.201.xxx:50443

                          [Thr 9584] <<- SapSSLSetNiHdl(sssl_hdl=000000001539C930, ni_hdl=159)==SAP_O_K

                          [Thr 9584]   SapISSLComposeFilename(): Filename = "N:\usr\sap\sapwebdisp\sec\SAPSSLC.pse"

                          [Thr 9584] <<- SapSSLSetSessionCredential(sssl_hdl=000000001539C930)==SAP_O_K

                          [Thr 9584]      in: cred_name = "SAPSSLC.pse"

                          [Thr 9584] <<- SapSSLSetTargetHostname(sssl_hdl=000000001539C930)==SAP_O_K

                          [Thr 9584]      in: hostname = "clussapbpm"

                          [Thr 9584]   MatchTargetName("clussapbpm", CN="localhost") MISmatch

                          [Thr 9584] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000001539C930)==SSSLERR_SERVER_CERT_MISMATCH

                          [Thr 9584]          status = "resumed SSL session"

                          [Thr 9584]       Server DN = "CN=localhost, OU=ssl-enabled-server, O=app-server"

                          [Thr 9584] <<- SapSSLErrorName()==SSSLERR_SERVER_CERT_MISMATCH

                          [Thr 9584] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxpool.c   2096]

                          [Thr 9584] IcmIConnPoolAllocEntry: no entry for pool 000000000254F6A0 found: 0, timeout: 0

                          [Thr 9584] ICR: IcrAttachToServer: IcmConnPoolAllocEntry failed -12 -> Retry 6.

                          [Thr 9584] ICR: IcrAttachToServer: retry connection in 160 milliseconds.

                          [Thr 9584] *** ERROR => IcmConnPoolAllocEntry(1) failed 0. Too many attempts (6) [ictxxroute_r 2730]

                          [Thr 9584] ICR: IcrAttachToServer('!ALL' 2 2 4100 1 port:50443/1/0) 0-> 7

                          [Thr 9584] *** ERROR => no valid destination server available for '!ALL' rc=7 [http_route.c 3360]

                           

                           

                          By the way, I can access the system through the URL https://clussapbpm.xxxxxx.com:50443/startPage and http://clussapbpm.xxxxxx.com:50000/startPage , just not able via Web Dispatcher

                           

                          Is the error due to a bad certificate or bad SAPSSLC.pse file again ?, the only place where these values ​​match "CN = localhost, OU = ssl-server-enabled, O = app-server" is on the certificate "ssl-credentials-cert" of my backend system.

                           

                          Best Regards u00A1u00A1u00A1

                          • Re: Web Dispatcher and SSL
                            Olivier CHRETIEN
                            Currently Being Moderated

                            Hi Francisco,

                             

                             

                            It seems that the web dispatcher is trying to open an SSL connection to a hostname clussapbpm but that it  gets a certificate with "CN=localhost, OU=ssl-enabled-server, O=app-server"

                            As "clussapbpm" is different from "localhost" there is a certificate mismatch and the connection fails.

                             

                            The question is therefore : why did you create an SSL server certificate with "CN=localhost" ? I think this is the problem...

                             

                            Regards,

                            Olivier

                          • Re: Web Dispatcher and SSL
                            Mauricio Wecker
                            Currently Being Moderated

                            Hi Francisco,

                             

                            The issue here is that the certificate that you are using as client on your Web Dispatcher (SAPSSLC.pse) is not the client certificate for the backend that you are trying to access.

                             

                            You are providing for the backend the following certificate: CN=localhost, OU=ssl-enabled-server, O=app-server, but the backend is expecting a certificate that matches the hostname clussapbpm. You should export from clussapbpm the correct certificate and then import it to the Web Dispatcher.

                             

                            Note 1318906 has a brief description of this error.

                             

                            Cheers,

                            Maurício

                             

Actions