Enable certificate based logon – 5 Configure SAP Web Dispatcher
For SAP Web Dispatcher be able to forward the received client certificate received by the browser, it must
- Re-encrypt the connection
- Add the client certificate as a header in the request
To ensure the connection is forwarded encrypted via TLS, use the parameter wdisp/ssl_enrypt=2. Value 2 means that WD will always forward using TLS, independently if the request received was HTTP or HTTPS. To inform WD which client certificate to use, configure parameter wdisp/ssl_auth. Value 2 means that the certificate specified by parameter wdisp/ssl_cred is used. In the below sample profile, ssl_cred points to the client PSE (SAPSSLC.pse). Icm/HTTPS/verify_client controls whether or not WD is asking or demanding for a client certificate. 1 means that WD will ask for one, but continue if not presented, while 2 means that a certificate must be presented.
With this information, WD can be used to connect securely the backend and forward the client certificate as a header, while using its own client certificate to authenticate against the backend NetWeaver system.
Extract of a sample WD profile
# unique instance identifier
SAPSYSTEMNAME = TOB
# unique instance number
SAPSYSTEM = 00
wdisp/ssl_encrypt=2
wdisp/ssl_auth=2
#
# Configuration for handling certificates
#
wdisp/ssl_cred=$(DIR_PROFILE)/sec/SAPSSLC.pse
icm/HTTPS/forward_ccert_as_header = true
icm/HTTPS/verify_client = 1
icm/HTTPS/client_certificate_header_name = SSL_CLIENT_CERT
icm/HTTPS/client_key_size_header_name = SSL_CIPHER_USEKEYSIZE
icm/HTTPS/client_cipher_suite_header_name = SSL_CIPHER_SUITE
icm/HTTPS/client_certificate_chain_header_prefix = SSL_CLIENT_CERT_CHAIN_1
#
# Backend System
#
wdisp/system_0 = SID=GWD, MSHOST=nwgw74.tobias.de, MSPORT=8101, SRCURL=/, SRCSRV=*:*, SSL_ENCRYPT=1
# SAP Web Dispatcher Ports
icm/server_port_1 = PROT=HTTPS,PORT=443
0 Comments