Reset password for SAP Web Dispatcher user

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

It happened. You do not remember anymore the password created by SAP Web Dispatcher (WD) during bootstrap operation. While this is not bad (who can remember a password like aR$#¨%_09fms!” anyway?) and normally your browser safes it for you (hm, maybe not so good) or your password safe (better). But the password is gone, you cannot log on anymore to WD admin interface. No worries, if you have access to the computer where WD is running, you can either

  1. Get the icmauth.txt file and try to hack the password or
  2. Create a new password for your user.

I prefer option b.

The documentation at SAP Help for this gives you some options, like recreate the configuration (bootstrap) and you’ll get a new password for the icmadm user.

  • Creating Administration Users SAP Help

The online documentation for this section only mentions icmon, but for Web Dispatcher you have to use wdispmon. The authors explain this at the parent page of the topic and justify it that this makes things easier. I am not sure to whom, but definitely not for the person reading the guide, as you have to read the parent page to find out why icmon is not available for WD. Note: the page is for WD and still the documentation is using commands for ICM for NetWeaver ABAP #yay.

Content of the icmauth.txt file looks like:

# Authentication file for ICM and SAP Web Dispatcher authentication

icmadm:{SHA384}z3Lq992UB3lmK3F5dND266RBGU1S2xflxQOtSJn4irawcIce+Xo:admin

Field 1 Field 2 Field 3
icmadm is the user {SHA384}z3… is the encrypted password of the user admin is the group of the user.

To change the password of the user icmadm you have to use the wdispmon command with the –a flag. Also provide the path to the WD profile file.

Command: wsdispmon –a pf=sapwebdisp.pfl

Enter c to change the password of an existing user.

Inform the new password. As of now, the new password will not be available to WD, as it is not saved to icmauth.txt. To persist the new password you have to save it. To do so, select s from the menu.

Do not worry, a copy of the old file will be created (in case your co-worker still has the old password). With this done, you can exit the program. Select q from the menu.

(Not sure if you have to restart WD, but I did.) Now you can log on using the new password to WD. Access your WD admin page and log on using icmadm and the new password.

https://localhost:4300/sap/wdisp/admin/public/default.html

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

Install SAP OCB Retail – 5 – Starting the application

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

Three types of applications were installed by SAP Omnichannel Retail Banking:

  • business central
  • business banking
  • retail banking

Each one of those is accessed by a URL and browser.

Business Central

Access: https://localhost:8081/bc/servlet/bc/global.jsp

Select your language (most probably, it will be English). In the next screen, enter user name: admin

Enter password Pass1234.

Welcome to business central.

Business Banking

Access: https://localhost:8081/cb/pages/jsp-ns/login-corp.jsp

Inform the user name jtech

Inform the password Pass1234

Retail Banking application

Access: https://localhost:8081/cb/pages/jsp-ns/login-cons.jsp

User: tbowman

Password: Pass1234

Home screen on online banking.

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

Install SMP3 with Oracle DB

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

The following procedure for installing SMP3 with an Oracle DB is for Linux. For tests, you can use Oracle Express. Check your environment/company if you can use that version.

Prerequisites

Ensure that Oracle XE is up and running. It is important that the tnslistener is working! Run the listener and check the status:

/u01/app/oracle/product/11.2.0/xe/bin/lsnrctl status

Configure installation parameters

The steps are documented at SAP Help. You’ll have to edit the SilentInstall_Linux.txt file and adjust the installation parameters.

vim SilentInstall_Linux.txt

For Oracle, you’ll need to change these parameters (at the end, you’ll find a complete example file):

Activate that SMP3 uses an external DB

-V developerInstall="false"
-V productionInstall="true"
-V sqlaEmbeddedDB="false"
-V existDB="true"

Inform the Oracle XE connection parameters

-V existDBType="oracle-sid"
-V dbHostName="localhost"
-V dbPortNumber="1521"
-V dbLogin="gomobile"
-V dbPassword="secret"
-V dbDBName="XE"

Inform the JDBC driver location

-V jdbcDriver="/u01/app/oracle/product/11.2.0/xe/jdbc/lib/ojdbc6.jar"

Prepare Oracle DB

Form the above connection parameters you can see that SMP3 is going to use the user gomobile with the password secret to connect itself to Oracle XE. This means that the user with the password and a schema must be created in the DB. SMP3 comes with a SQL script for Oracle that does exactly that. The script is located at /db_tools/db/oracle/smp3/sql. The file is 001_SMP3_drop_and_create_user.DDL The file contains the SQL statements to create the user with the right permissions:

CREATE ROLE SY365_OBJOWNER;
GRANT CREATE SEQUENCE TO SY365_OBJOWNER;
GRANT CREATE SESSION TO SY365_OBJOWNER;
GRANT CREATE SYNONYM to SY365_OBJOWNER;
GRANT CREATE TABLE TO SY365_OBJOWNER;
GRANT CREATE VIEW TO SY365_OBJOWNER;
GRANT CREATE PROCEDURE TO SY365_OBJOWNER;
GRANT CREATE SEQUENCE TO SY365_OBJOWNER;
GRANT CREATE TRIGGER TO SY365_OBJOWNER;
GRANT CREATE INDEXTYPE TO SY365_OBJOWNER;
DROP USER GOMOBILE CASCADE;
CREATE USER GOMOBILE
IDENTIFIED BY secret
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 2 Roles for GOMOBILE
GRANT SY365_OBJOWNER TO GOMOBILE;
GRANT CREATE SESSION TO GOMOBILE;
GRANT CONNECT TO GOMOBILE;
ALTER USER GOMOBILE DEFAULT ROLE ALL;
-- 1 Tablespace Quota for GOMOBILE
ALTER USER GOMOBILE QUOTA UNLIMITED ON USERS;

You’ll have to add the command EXIT; at the end of the file

To run the SQL script, run:

sqlplus system/Sap123 @001_SMP3_drop_and_create_user.DDL > smp3.log
  • Note: Sap123 is the password for the user system.

Output is written to smp3.log

SQL*Plus: Release 11.2.0.2.0 Production on Wed Aug 24 21:37:08 2016
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Role created.
Grant succeeded.
[…]
DROP USER GOMOBILE CASCADE
ERROR at line 1:
ORA-01918: user 'GOMOBILE' does not exist
User created.
Grant succeeded.
[…]
User altered.
User altered.

The error regarding DROP user is normal, as the user gomobile hasn’t been created before, so there is no user to drop.

Run installer

With the above steps done, SMP3 installer is ready to be run.

./SilentInstall_Linux.sh

The output will contain information regarding the Oracle DB:

dbg, existDBType:oracle-sid
WARNING: Selecting this option confirms SMP database is already created
dbg, jdbcDriver: /u01/app/oracle/product/11.2.0/xe/jdbc/lib/ojdbc6.jar
dbg, jdbcDriver fullFileName: /u01/app/oracle/product/11.2.0/xe/jdbc/lib/ojdbc6.jar
dbg, jdbcDriverFile: /sap/SAP/MobilePlatform3/Util/ojdbc6.jar
dbg, ojdbc6.jar will be renamed to ojdbc.jar in the installation
dbg, queryExit:oracle-sid localhost gomobile [pwd entered] 1521 XE
dbg, Ping succcesful: 0
dbg, smpDataExists:false
dbg, New node install

If everything works fine, you’ll get a confirmation message at the end of the installation.

Installation Successful

Validation

SAP Help contains some information on how to validate the installation. You can search for error message in the installation log, but when an error occurs, normally the installer stops. My preferred way to check SMP3 is to start the server and see if I can log on, create apps, etc. Base test is therefore to start SMP3 and to log on.

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

Online Certificate Status Protocol

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

Online Certificate Status Protocol, or short: OCSP, let you obtain the revocation status of a certificate. It has some benefits over certification revocation lists, mainly that you can let the OCSP server do the heavy work of validating a certificate and the client gets some additional security when accepting the answer. To use OCSP in your landscape, you will have to install and configure an OCSP responder. I did this for my sandbox SMP3 system. Here are the links that contain the information on how to set up your own OCSP responder on your Microsoft CA server.

My walkthrough

Hope you find the links useful.

Additional OCSP information

Here are some more links that I consulted when setting up my OCSP responder. All are from Microsoft and treat information regarding OCSP on a Microsoft server and CA.

About

Implementing OCSP responder part 1 – introducing OCSP

OCSP installation and configuration

Designing and implementing a PKI part 2

Designing and implementing a PKI part 3

Designing and implementing a PKI part 4

Designing and implementing a PKI part 5

Windows Server

Online Responder Installation, Configuration, and Troubleshooting Guide

AD CS: Online Certificate Status Protocol Support

Configure a CA to Support OCSP Responders

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

OCSP part 6 – Test OCSP service

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA configuration, you can use OpenSSL to create a request or will have to use the Windows integrated tools. I will show here how to use a CSR created by OpenSSL and a Windows Enterprise CA.

Create CSR with OpenSSL

openssl req –new –newkey rsa:2046 –nodes –keyout dummy.key –out dummy.csr

This creates a key file and the CSR in Base64.

Submit CSR to CA

Certificate snap-in

MSFT Enterprise CA needs the CSR created for a specific template, something that OpenSSL is not offering. If you submit such a request to the CA via MMC, you get an error message.

More information

CA Web Interface

Open the web enrollment server in your browser. Click on Request a certificate.

Go to the advanced options.

Paste the Base64 encoded CSR in the input field. Select as certificate User.

Submit the request and download the generated certificate.

Take a closer look at the certificate. In the AIA section, OCSP must be shown.

Test OCSP service

In the above step, a new user certificate was created, containing OCSP information. To test if OCSP is working, Microsoft is offering the certutil tool.

certutiil –URL dummy.cer

In the Retrieve box, you can select how to certificate information should be retrieved.

Select OCSP.

Check the status

Result: Failed

Result: Unsuccessful

Result: Verified

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

OCSP part 5 – Further configuration steps

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t using NONCE and their test will pass, while OpenSSL uses NONCE and that test will fail. Generally, enabling it ensures you`ll have less problems with a wide range of clients.

Enable NONCE

Edit OCSP configuration properties.

Go to tab Signing and enable NONCE.

Check status

In case you get a signing certificate not available for the array controller, do a refresh of the node.

The status should be empty.

In the CA, an OCSP signing certificate must appear in the list of issued certificates.

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

OCSP part 4 – Configure CA to support OCSP Responders

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that case, clients can be configured to use a static OCSP address to validate the status of the certificate, while other clients won`t be able to do this.

To configure a CA to support an Online Responder or OCSP responder services

  • Open the Certification Authority snap-in.


  • Open the properties of the CA.

  • Open the extensions tab. By default, the CRL distribution point (CDP) list is shown.

  • Change from CDP to Authority Information Access (AIA)

  • Click on Add to add a new location.

  • Specify the locations from which users can obtain certificate revocation data. This is the URL under which the OCSP service is installed.Make sure that the clients can resolve the DNS name and communicate with the service.

    Example: http://<ServerDNSName>/ocsp

  • Select “Include in the online certificate status protocol (OCSP) extension”. This makes the OCSP URL available in the certificate.

    You will have to restart the CA service to make the new configuration effective.

  • Next, you will have to include the OCSP certificate in the list of available certificates of the CA.


  • Open the CA snap-in, select Certificate Templates, right click and choose “New Certificate Template to Issue”


  • Select the OCSP Response Signing certificate.

  • To check that it worked, select the certificate and open its properties.

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

OCSP part 3 – Add read permission to NetWork Service

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

For the CA to be able to use OCSP, read permission to the private key must be given.

Add Read permissions to Network Service on the private key

Open the Certificate Templates snap-in.

Select the OCSP Response Signing template.

Right-click it and click on properties.

Go to tab security. Click on add.

In the dialog, select from the list of object types computer.

Search for the CA/OCSP computer. Click OK.

Select the newly created entry with the computer name of the OCSP responder and select ALLOW for Read and Enroll permissions.

Finish the task by clicking on OK.

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

OCSP part 2 – Create a Revocation Configuration

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

After installing OCSP component in Windows, it is time to configure the service: how OCSP requests are going to be handled; from where to receive the CRL, specify OCSP certificate, etc.

  1. Open the Online Responder snap-in.

  2. Click on Revocation Configuration.

  3. The list of available configuration is empty.

  4. Add a new revocation configuration.

  5. The configuration wizard opens.

  6. Give a name for the new configuration.

  7.  Inform the location of the CA. My CA is a Windows Enterprise CA, so its configuration is stored in the AD.

  8. Give the information of the signing certificate. Just leave the default values.
  9. Configure the provider. That is, where OCSP can retrieve the information of revoled certificates.

  10. I am using the AD for obtaining this information.

  11. After this, the necessary information for the provider is given and the wizard can start with performing the actual configuration.

  12. This ends the wizard. Afterwards, the status can be seen in the pane.

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

OCSP part 1 – Install an Online Responder

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin

Installing OCSP Responder Role

You can install the OCSP responder role in Windows Server 2008 R2 either via a command line tool or by using the role wizard.

Command line

Command: servermanagercmd.exe –install ADCS-Online-Cert

Whooops, deprecated 😀

Nevertheless, works. You just have to wait for the installer to finish.

Role wizard

  1. Open the server manager.

  2. Select the roles node and Active Directory Certificate Services.

  3. The Online Responder role should be shown as not installed.

  4. To add the role, click on Add Role Services. Select Online Responder.

    The installation starts.

  5. At the end of the installation, an Installation succeeded message must appear.

  6. In the list of installed roles, Online Responder appears now with status installed.

  7. In IIS, a new web site with name ocsp must appear. This is the URL of the OCSP responder that is needed to be added to certificates by the CA.

Let the world know ...Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin