cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue with Activating SSL for Client to Web Dispatcher

Go to solution
Former Member

on ‎10-01-2014 3:38 PM

0 Kudos

Hi

We have installed the web dispatcher 7.41 to use as a front end in to ECC via the DMZ for Mobile and UI5 devices.

the simple set up:

UI5/Mobile > HTTPS > Web Dispatcher > HTTP > Gateway > Trusted RFC > SAP ECC

the Webdispatcher is sitting in the DMZ.

We have activated the parameter VCLIENT to option 2 - as we want only UI5/Mobile devices with the certificate installed to be able to view the Log In page - this is per standard build/config.

However we tried installing the Certificate from the webdispatcher on the client machine and the page is not displayed.   when we change this parameter to option 1, the page is displayed.

Which certificate are we supposed to use?

Should we have a client certificate generated and installed into the web dispatcher?

SAP Help is not generally helpful in this area....

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Matt_Fraser
Active Contributor
‎10-01-2014 4:28 PM
0 Kudos

Hi Barry,

Assuming that VCLIENT in 7.41 is the same as icm/HTTPS/verify_client in previous versions, then setting it to 2 tells the dispatcher that clients must have a client certificate installed. Not that they must have the dispatcher's certificate installed (they must trust the dispatcher's certificate regardless of the VCLIENT setting as long as https is used). So, you will need to generate and install client certificates to each device if you want to use this setting. If all your clients are internal and/or pushed by your organization on organization-provided devices, this might not be unreasonable, but if this is any kind of BYOD scenario, that could be difficult to manage.

Regards,

Matt

Show replies
Show replies
Former Member
‎10-01-2014 4:39 PM
0 Kudos

Thanks Matt

We will speak to our client about generating a client certificate.

Do we need to install this into the web dispatcher at all so it can authenticate, to stop any old devices being used?

Matt_Fraser
Active Contributor
‎10-01-2014 5:25 PM
0 Kudos

That I'm not sure of, as we don't use client certificates at my site, only server certificates. Client certificates are usually associated with Single-Sign-On scenarios. However, my understanding is that the root certificate of the CA that issues your client certificates just needs to be trusted by your web dispatcher, i.e added to TrustedCAs, etc (I'm not sure of the exact procedure in 7.41, but hopefully this steers you in the right direction). If your client certificates are issued by an internal CA, then add that CA's certificate to the web dispatcher. If they're issued by an external authority (like Verisign), then make sure that external authority's CA certificate is added (they are usually downloadable from the relevant vendor).

Likewise, the SSL server certificate for your web dispatcher needs to be trusted by all your clients, so it will either need to be issued by an internal CA that all clients are setup to trust, or by an external well-known CA (again, like Verisign or Thawte). However, that's not directly related to the client certificates.

Answers (1)

Answers (1)

Former Member
‎10-01-2014 4:30 PM
0 Kudos

Hello

VCLIENT parameter value governs the icm requiring client certificates. If you are using end-to-end SSL (SSL not terminating at web-dispatcher/reverse proxy) then icm will request client certificate from UI5/Mobile client. However, if SSL is terminating at eb-dispatcher/reverse proxy, icm will require client certificate from web-dispatcher.

If you want only UI5/Mobile devices with the certificate installed to be able to view the Log In page, you need to bypass SSL at webdispatcher/reverse-proxy.


I hope this information will help you.

Regards,
Tapan

Show replies
Show replies
Ask a Question