The goal of this blog post is to provide the steps which are necessary to configure the SSL termination scenario on web dispatcher integrated into SCS instance in process orchestration (as Java).
The blog post includes the configuration of the web dispatcher into an existing SCS instance running on NW 7.5 (as Java) system along with SSL termination configuration to access PO tools such as enterprise service repository, integration directory, process monitoring and SLD using HTTPS protocol
- SAP process orchestration server is installed
- SAP cryptographic library is already installed
1. Profile Parameters
Following parameters need to be updated in SCS instance profile to setup the integrated web dispatcher into existing SCS instance.
- _CPARGX = list:$(DIR_CT_RUN)/webdispinst.lst
- Execute_<xx> = immediate $(DIR_CT_RUN)/sapcpe$(FT_EXE) pf=$(_PF) $(_CPARGX)
- _WD = wd.sap$(SAPSYSTEMNAME)_$(INSTANCE_NAME)
- Execute_<xx> = local rm -f $(_WD)
- Execute_<xx> = local ln -s -f $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) $(_WD)
- Restart_Program_<xx> = local $(_WD) pf=$(_PF)
- wdisp/system_0 = SID=<SID>, MSHOST=<hostname>, MSPORT=81<inst_no>, SRCSRV=*:<disp_port_no>, SRCURL=/
- icm/authfile = /usr/sap/<SID>/SYS/global/security/data/icmauth.txt
- icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)
- icm/max_conn = 500
- icm/server_port_0 = PROT=HTTPS,PORT=<disp_port_no>
Please do adjust serial number XX in SCS profile
2. Extract Sapwebdisp SAR file
Download SAP web dispatcher SAR (
version must be equal or greater than system kernel version) from service marketplace and extract it in kernel directory
3. SCS instance Restart
After restart, sap web dispatcher service will be visible running in SCS instance
1. Update Profile Parameter in SCS Profile
Update following SSL parameters in SCS instance profile and take dispatcher restart from admin console to activate them
- wdisp/add_client_protocol_header = true
- wdisp/handle_webdisp_ap_header = 1
- wdisp/add_xforwardedfor_header = true
- wdisp/ssl_encrypt = 0
- wdisp/ssl_auth = 1
- icm/HTTPS/verify_client = 1
2. Generate CSR Request
Login to SAP web dispatcher admin console and create new PSE as per the SAP system FQDN.
Generate the CSR and get it signed by authorized CA then import the response using dispatcher console.
3. Execute Dispatcher Profile Check
Execute the command sapwebdisp pf=<scs_instance_profile> -checkconfig
Make sure there shouldn't be any error/warning in dispatcher profile check
Execute the NWA url with web dispatcher HTTPS port and you will find that certificate status is Ok
Steps to activate HTTPS for PO Tools
Login to NWA and modify the exchange profile properties
- Login to NWA and access the Java system properties under configuration tab.
- Search for "XPI Service: AII Config Service" in services tab
- Select the below parameters (related to ESR and IR tool) and change the ICM port to dispatcher HTTPS port
- com.sap.aii.connect.repository.httpsport
- com.sap.aii.connect.directory.httpsport
4. Select the parameter "
com.sap.aii.connect.secure_connections" and change its value to all (
Restart is not required).
Now, all the required PO tools will be accessible through HTTPS protocol running with web dispatcher port defined in SCS profile
In this blog post I have explained in detail about SSL termination setup on SAP Web Dispatcher Integrated into Process Orchestration SCS Instance with relevant screen shots. I would conclude this blog by highlighting an important fact that SSL termination scenario establish the communication channel between web dispatcher and application server on HTTP protocol which means that unencrypted request will be forwarded from web dispatcher to the Application server.