Enable certificate based logon – 5 Configure SAP Web Dispatcher

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

For SAP Web Dispatcher be able to forward the received client certificate received by the browser, it must

  1. Re-encrypt the connection
  2. Add the client certificate as a header in the request

To ensure the connection is forwarded encrypted via TLS, use the parameter wdisp/ssl_enrypt=2. Value 2 means that WD will always forward using TLS, independently if the request received was HTTP or HTTPS. To inform WD which client certificate to use, configure parameter wdisp/ssl_auth. Value 2 means that the certificate specified by parameter wdisp/ssl_cred is used. In the below sample profile, ssl_cred points to the client PSE (SAPSSLC.pse). Icm/HTTPS/verify_client controls whether or not WD is asking or demanding for a client certificate. 1 means that WD will ask for one, but continue if not presented, while 2 means that a certificate must be presented.

With this information, WD can be used to connect securely the backend and forward the client certificate as a header, while using its own client certificate to authenticate against the backend NetWeaver system.

Extract of a sample WD profile

# unique instance identifier

SAPSYSTEMNAME = TOB

# unique instance number

SAPSYSTEM = 00

wdisp/ssl_encrypt=2

wdisp/ssl_auth=2

#

# Configuration for handling certificates

#

wdisp/ssl_cred=$(DIR_PROFILE)/sec/SAPSSLC.pse

icm/HTTPS/forward_ccert_as_header = true

icm/HTTPS/verify_client = 1

icm/HTTPS/client_certificate_header_name = SSL_CLIENT_CERT

icm/HTTPS/client_key_size_header_name = SSL_CIPHER_USEKEYSIZE

icm/HTTPS/client_cipher_suite_header_name = SSL_CIPHER_SUITE

icm/HTTPS/client_certificate_chain_header_prefix = SSL_CLIENT_CERT_CHAIN_1

#

# Backend System

#

wdisp/system_0 = SID=GWD, MSHOST=nwgw74.tobias.de, MSPORT=8101, SRCURL=/, SRCSRV=*:*, SSL_ENCRYPT=1

# SAP Web Dispatcher Ports

icm/server_port_1 = PROT=HTTPS,PORT=443

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *