Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to setup the SAP Web Dispatcher with SSL Re-encryption?

cris_hansen
Product and Topic Expert
Product and Topic Expert
‎2016 Apr 06 10:27 PM
10,093

There are three different scenarios involving the SAP Web Dispatcher (WDP) and HTTPS access: SSL Termination (in the WDP), SSL Re-encryption and End to End SSL. This blog will present the second scenario.


Prerequisites




  • SAP Web Dispatcher 7.20 or higher

  • SAPCRYPTOLIB 5.5.5 patch level 24 or higher (in this blog pl 32 is used)


Profile parameters


The standard SSL configuration demands the following three parameters:


 


ssl/ssl_lib     = <path>\sapcrypto.dll


ssl/server_pse  = <path>\SAPSSLS.pse


ssl/client_pse  = <path>\SAPSSLC.pse


As the WDP 7.20 or higher can connect to different systems, the following parameters were set:


wdisp/system_0 = SID=AAA, MSHOST=<FQDN1>, MSPORT=8100, SRCSRV=webdispatcher.foo.bar:10000


wdisp/system_1 = SID=BBB, MSHOST=<FQDN2>, MSPORT=8171, SRCSRV=webdispatcher.foo.bar:10001


The server ports also must be defined:


icm/server_port_0 = PROT=HTTP,PORT=9999


icm/server_port_1 = PROT=HTTPS,PORT=10000


icm/server_port_2 = PROT=HTTPS,PORT=10001


 


As the WDP will perform a re-encryption of the data, the parameter below must be set:


wdisp/ssl_encrypt = 1


At last, but not least, for testing purposes, the HTML dump into the trace will be enabled, along with a trace level 3. Important: the trace files will be HUGE! The parameters below should be set only for a quick test or for error analysis. The default trace level (i.e. 1) must be used in productive systems (and for security matters, the HTML dump should not be active).


icm/trace_secured_data = 1


rdisp/TRACE = 3


 


Checking the configuration


As soon as the profile file is saved, one can test the configuration by running:


 


sapwebdisp pf=sapwebdisp.pfl -checkconfig


No error message is expected (the result of the -checkconfig is the same as shown here)


The WDP is now ready to work!


 


 


Analyzing the scenario and the dev_webdisp trace file


Similar to other scenarios, the trace level 3 recorded in the dev_webdisp has plenty information. From a test calling a giving internet service (WEBGUI, for example) it is possible to see the moment the request reached the WDP:


 


"...


[Thr 6876] IcmWorkerThread: worker 2 got the semaphore


[Thr 6876] REQ TRACE BEGIN: 0/18/1


[Thr 6876] REQUEST:


    Type: ACCEPT_CONNECTION    Index = 2


[Thr 6876] CONNECTION (id=0/18):


    used: 1, type: default, role: Server(1), stateful: 0


    NI_HDL: 147, protocol: HTTPS(2)


    local host:  <WDP IP>:10000 ()


    remote host: <Client IP>:53691 ()


    status: NOP


    connect time: xx.zz.yyyy aa:bb:cc


    MPI request:        <0>      MPI response:        <0>  


request_buf_size:   0        response_buf_size:   0    


request_buf_used:   0        response_buf_used:   0    


request_buf_offset: 0 response_buf_offset: 0    


..."


 


Next it is possible to check the SSL handshake between the client and the server (WDP):


"...


[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=0000000002C5C6E0, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))


[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K


[Thr 6876]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"


[Thr 6876]     out: sssl_hdl = 0000000002D7D810


[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)


[Thr 6876] NiIBlockMode: set blockmode for hdl 147 TRUE


[Thr 6876]   SSL NI-sock: local=<WDP IP>:10000 peer=<Client IP>:53691


[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)==SAP_O_K


[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7D810)


[Thr 6876] Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:SSL_RSA_EXPORT_WITH_RC4_40_MD5"


[Thr 6876] Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_MD5"


[Thr 6876]   No Client Certificate


[Thr 6876]   New session (TLSv1.0)


[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53EE4, buf_len= 32 }


[Thr 6876]    00000: 5f d1 b3 37 34 1f 33 fc  84 a5 d8 c3 01 4f fe b1   _..74.3. .....O..


[Thr 6876] 00010: 33 99 af e4 20 0f 1a 88  77 24 e2 2f 4a d8 64 c6   3... ... w$./J.d.


[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7D810)==SAP_O_K


[Thr 6876] status = "new SSL session, NO client cert"


..."


 


The request is then read from the connection:


"...


[Thr 6876] IcmReadFromConn(id=0/18): read 443 bytes, 1 readops (timeout 0)


[Thr 6876] Address Offset  IcmReadFromConn received


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|


[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|


[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a416363 6570743a |TTP/1.1..Accept:|


[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a4163 63657074 2d4c616e | */*..Accept-Lan|


..."


The WDP will reach the web application server ABAP via HTTPS:


"...


[Thr 6876] HttpPortTableMatchPort: Port 0, webdispatcher.foo.bar:10000 (<WDP IP>:10000) matches request


[Thr 6876] ICR: IcrFindTargetSystem(0000000002D614F0, '/sap/bc/gui/sap/its/webgui' -> 0


[Thr 6876] HttpGetRouteTargetSystem: SID='AAA'


[Thr 6876] ICT: IctLookupPathTable() -> 0


[Thr 6876] HTR: found stack ABAP for URL /sap/bc/gui/sap/its/webgui


[Thr 6876] HTR: routing destination type = ICF/ABAP .


[Thr 6876] HTR: No esid found in request


[Thr 6876] HTR: HtrIExtractSessionID -> '' 0


[Thr 6876] HTR: stateless request (no valid session ID found) or initial request for stored session id


[Thr 6876] ICR: IcrIGetMinLoadServer: server 'HOST_AAA_00'1 delta=400 load=0/0valid=1 resp=1 capacity=10


[Thr 6876] ICR: IcrIFindMatchingPort for prot=1 stack=1 vhost=-1


[Thr 6876] ICR: IcrIFindMatchingPort: compare with 0 0 8000 10


[Thr 6876] ICR: IcrIFindMatchingPort: compare with 1 0 443 10


[Thr 6876] ICR: IcrIFindMatchingPort: found matching port: prot=1 vhost=0 port=443 f=10


[Thr 6876] ICR: IcrIGetMinLoadServer: near-zero load #0: HOST_AAA_00


[Thr 6876] ICR: IcrAttachToServer: next destination server 'HOST_AAA_00'1 10 1 0 port:443/1/0


..."


 


Since the connection to the server uses HTTPS, a new SSL handshake is necessary:


"...


[Thr 6876] NiHLGetNodeAddr: found hostname '<FQDN WAS>' in cache


[Thr 6876] NiIGetNodeAddr: hostname '<FQDN WAS>' = addr <WAS IP>


[Thr 6876] NiIGetServNo: servicename '443' = port 443


[Thr 6876] NiICreateHandle: hdl 153 state NI_INITIAL_CON


[Thr 6876] NiIInitSocket: set default settings for new hdl 153/sock 32916 (I4; ST)


[Thr 6876] NiIBlockMode: set blockmode for hdl 153 FALSE


[Thr 6876] NiIConnectSocket: hdl 153 is connecting to <WAS IP>:443 (timeout=5000)


[Thr 6876] SiPeekPendConn: connection of sock 32916 established


[Thr 6876] NiICheckPendConnection: connection of hdl 153 to <WAS IP>:443 established


[Thr 6876] NiIConnect: hdl 153 took local address <WDP IP>:53692


[Thr 6876] NiIConnect: state of hdl 153 NI_CONNECTED


[Thr 6876] IcmConnPoolConnect: Connection to host: <FQDN WAS>, service: 443 established (nihdl=153)


[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=00000000026CC6E8, role=1 (CLIENT), auth_type=0 (NO_CLIENT_CERT))


[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K


[Thr 6876]      in: args = "role=3 (ANONYMOUS-CLIENT), auth_type=0 (NO_CLIENT_CERT)"


[Thr 6876]     out: sssl_hdl = 0000000002D7DA30


[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)


[Thr 6876] NiIBlockMode: set blockmode for hdl 153 TRUE


[Thr 6876]   SSL NI-sock: local=<WDP IP>:53692 peer=<WAS IP>:443


[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)==SAP_O_K


[Thr 6876] ->> SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30, &hostname=0000000002D4FE20)


[Thr 6876] <<- SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30)==SAP_O_K


[Thr 6876]      in: hostname = "<FQDN WAS>"


[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7DA30)


[Thr 6876] SapISSLUseSessionCache(): Creating NEW session (0 cached)


[Thr 6876] SecudeSSL_SessionStart(): created new SSL session (TLSv1.0)


[Thr 6876]   Server Certificate available (FCPath-Len= 0)


[Thr 6876]   Server's List of trusted CA DNames (from cert-request message):


[Thr 6876]     #1  "CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??"


[Thr 6876]     #2  "CN=kkkkkkkkkkkk, O=wwwwwwwwww, C=??"


[Thr 6876] secudessl_AddSSL2Cache(): Creating new SSSL_CACHE entry


[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53F64, buf_len= 32 }


[Thr 6876] 00000: 5e 4a f0 f1 1d 0e 94 c8  c8 37 d0 c5 66 4b c1 e0   ^J...... .7..fK..


[Thr 6876] 00010: 80 26 ee b5 b1 0e 36 bb  92 45 10 c9 3a 8d ad e4   .&....6. .E..:...


...


[Thr 6876]   Subject DN: CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??


[Thr 6876] Issuer  DN: CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??


[Thr 6876]   Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA


[Thr 6876] MatchTargetName("<FQDN WAS>", CN="<FQDN WAS>") == EXACT match


[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7DA30)==SAP_O_K


[Thr 6876] status = "new SSL session"


[Thr 6876] Server DN = " CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??"


[Thr 6876] IcmConnPoolNewEntry: created new entry 000000000B8A0930[0] for pool 000000000B809610 (nihdl=153, ssl=0000000002D7DA30)


[Thr 6876] ICR: IcrAttachToServer('!DIAGS' 1 2 4100 1 port:443/1/0) 0-> 0


[Thr 6876] HTR: routing to destination 'HOST_AAA_00' (balanceable=0)


[Thr 6876] server triggered


[Thr 6876]    Pool Entry 000000000B8A0930:


[Thr 6876]    NI: 153, SSL: 0000000002D7DA30, allocated: 1, inuse: 1, desc: 000000000B8096B0


..."


 


A few seconds later the WDP sends the request to the application server:


"...


[Thr 6876] local host: <WDP IP>:53692


[Thr 6876] remote host: <WAS IP>:443


[Thr 6876] HTR: forwarding buffer to server (443)


[Thr 6876] Address Offset  Send to AppServer via net:


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|


[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|


[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a616363 6570743a |TTP/1.1..accept:|


[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a6163 63657074 2d6c616e | */*..accept-lan|


..."


 


A response is received from the application server:


"...


[Thr 6876] Address Offset  IcmReadFromPartner received


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|


[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|


[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|


[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|


[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|


[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|


..."


The response is then re-encrypted and sent to the web browser:


"...


[Thr 6876] IcmPlCheckRetVal: Next status: READ_REQUEST(1)


[Thr 6876] IcmHandleNetWrite(id=0/18): HandleServData returned: 1


[Thr 6876] Address    Offset  IcmWriteToConn:


[Thr 6876] ------------------------------------------------------------------------


[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|


[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|


[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|


[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|


[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|


[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|


..."


 


Finally, the thread is free to wait a new request:


"...


[Thr 6876] IcmWriteToConn(id=0/18): wrote data to partner (len = 5243)


[Thr 6876] IcmNetBufFree: free netbuf: 0000000000759C10 out of 1 used


[Thr 6876] MPI<5>0#4 DiscardOutbuf 0 0 0 1a5fa0 0 0 -> 0000000003F75FF0 MPI_OK


[Thr 6876] NiWakeupExec: send wakeup signal to 49627->64998 (sock 33032)


[Thr 6876] IcmConnRollOut: connection (id=0/18) rolled out: reason:1 role:1 timeout:60


[Thr 6876] CONNECTION (id=0/18):


    used: 1, type: default, role: Server(1), stateful: 0


    NI_HDL: 147, protocol: HTTPS(2)


    local host:  <WDP IP>:10000 ()


    remote host: <Client IP>:53691 ()


    status: READ_REQUEST


    connect time: xx.zz.yyyy aa:bb:cc


    MPI request:        <4>      MPI response:        <5>  


request_buf_size:   0        response_buf_size:   0    


request_buf_used:   0        response_buf_used:   0    


request_buf_offset: 0 response_buf_offset: 0    


[Thr 6876] IcmWorkerThread: SSL Session rolled out


[Thr 6876] REQ TRACE END: 0/18/1

[Thr 6876] IcmWorkerThread: Thread 2: Waiting for event


..."


 


If the parameter "icm/trace_secured_data = 1" is not set, it is not possible to see the HTML content. The following log entry appears:


"…


BINDUMP of content denied


…"


Stay tuned for my next blog about End-to-End SSL in the SAP Web Dispatcher!



5 Comments