Enable certificate based logon – 5 Configure SAP Web Dispatcher

Published by Tobias Hofmann on

1 min read

For SAP Web Dispatcher be able to forward the received client certificate received by the browser, it must

  1. Re-encrypt the connection
  2. Add the client certificate as a header in the request

To ensure the connection is forwarded encrypted via TLS, use the parameter wdisp/ssl_enrypt=2. Value 2 means that WD will always forward using TLS, independently if the request received was HTTP or HTTPS. To inform WD which client certificate to use, configure parameter wdisp/ssl_auth. Value 2 means that the certificate specified by parameter wdisp/ssl_cred is used. In the below sample profile, ssl_cred points to the client PSE (SAPSSLC.pse). Icm/HTTPS/verify_client controls whether or not WD is asking or demanding for a client certificate. 1 means that WD will ask for one, but continue if not presented, while 2 means that a certificate must be presented.

With this information, WD can be used to connect securely the backend and forward the client certificate as a header, while using its own client certificate to authenticate against the backend NetWeaver system.

Extract of a sample WD profile

# unique instance identifier


# unique instance number





# Configuration for handling certificates



icm/HTTPS/forward_ccert_as_header = true

icm/HTTPS/verify_client = 1

icm/HTTPS/client_certificate_header_name = SSL_CLIENT_CERT

icm/HTTPS/client_key_size_header_name = SSL_CIPHER_USEKEYSIZE

icm/HTTPS/client_cipher_suite_header_name = SSL_CIPHER_SUITE

icm/HTTPS/client_certificate_chain_header_prefix = SSL_CLIENT_CERT_CHAIN_1


# Backend System


wdisp/system_0 = SID=GWD, MSHOST=nwgw74.tobias.de, MSPORT=8101, SRCURL=/, SRCSRV=*:*, SSL_ENCRYPT=1

# SAP Web Dispatcher Ports

icm/server_port_1 = PROT=HTTPS,PORT=443

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.