There are three different scenarios involving the SAP Web Dispatcher (WDP) and HTTPS access: SSL Termination (in the WDP), SSL Re-encryption and End to End SSL. This blog will present the second scenario.
Prerequisites
Profile parameters
The standard SSL configuration demands the following three parameters:
ssl/ssl_lib = <path>\sapcrypto.dll
ssl/server_pse = <path>\SAPSSLS.pse
ssl/client_pse = <path>\SAPSSLC.pse
As the WDP 7.20 or higher can connect to different systems, the following parameters were set:
wdisp/system_0 = SID=AAA, MSHOST=<FQDN1>, MSPORT=8100, SRCSRV=webdispatcher.foo.bar:10000
wdisp/system_1 = SID=BBB, MSHOST=<FQDN2>, MSPORT=8171, SRCSRV=webdispatcher.foo.bar:10001
The server ports also must be defined:
icm/server_port_0 = PROT=HTTP,PORT=9999
icm/server_port_1 = PROT=HTTPS,PORT=10000
icm/server_port_2 = PROT=HTTPS,PORT=10001
As the WDP will perform a re-encryption of the data, the parameter below must be set:
wdisp/ssl_encrypt = 1
At last, but not least, for testing purposes, the HTML dump into the trace will be enabled, along with a trace level 3. Important: the trace files will be HUGE! The parameters below should be set only for a quick test or for error analysis. The default trace level (i.e. 1) must be used in productive systems (and for security matters, the HTML dump should not be active).
icm/trace_secured_data = 1
rdisp/TRACE = 3
Checking the configuration
As soon as the profile file is saved, one can test the configuration by running:
sapwebdisp pf=sapwebdisp.pfl -checkconfig
No error message is expected (the result of the -checkconfig is the same as shown here)
The WDP is now ready to work!
Analyzing the scenario and the dev_webdisp trace file
Similar to other scenarios, the trace level 3 recorded in the dev_webdisp has plenty information. From a test calling a giving internet service (WEBGUI, for example) it is possible to see the moment the request reached the WDP:
"...
[Thr 6876] IcmWorkerThread: worker 2 got the semaphore
[Thr 6876] REQ TRACE BEGIN: 0/18/1
[Thr 6876] REQUEST:
Type: ACCEPT_CONNECTION Index = 2
[Thr 6876] CONNECTION (id=0/18):
used: 1, type: default, role: Server(1), stateful: 0
NI_HDL: 147, protocol: HTTPS(2)
local host: <WDP IP>:10000 ()
remote host: <Client IP>:53691 ()
status: NOP
connect time: xx.zz.yyyy aa:bb:cc
MPI request: <0> MPI response: <0>
request_buf_size: 0 response_buf_size: 0
request_buf_used: 0 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
..."
Next it is possible to check the SSL handshake between the client and the server (WDP):
"...
[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=0000000002C5C6E0, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))
[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K
[Thr 6876] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 6876] out: sssl_hdl = 0000000002D7D810
[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)
[Thr 6876] NiIBlockMode: set blockmode for hdl 147 TRUE
[Thr 6876] SSL NI-sock: local=<WDP IP>:10000 peer=<Client IP>:53691
[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)==SAP_O_K
[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7D810)
[Thr 6876] Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:SSL_RSA_EXPORT_WITH_RC4_40_MD5"
[Thr 6876] Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_MD5"
[Thr 6876] No Client Certificate
[Thr 6876] New session (TLSv1.0)
[Thr 6876] HexDump of native SSL session ID { &buf= 0000000002D53EE4, buf_len= 32 }
[Thr 6876] 00000: 5f d1 b3 37 34 1f 33 fc 84 a5 d8 c3 01 4f fe b1 _..74.3. .....O..
[Thr 6876] 00010: 33 99 af e4 20 0f 1a 88 77 24 e2 2f 4a d8 64 c6 3... ... w$./J.d.
[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7D810)==SAP_O_K
[Thr 6876] status = "new SSL session, NO client cert"
..."
The request is then read from the connection:
"...
[Thr 6876] IcmReadFromConn(id=0/18): read 443 bytes, 1 readops (timeout 0)
[Thr 6876] Address Offset IcmReadFromConn received
[Thr 6876] ------------------------------------------------------------------------
[Thr 6876] 0000000003F76058 000000 47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|
[Thr 6876] 0000000003F76068 000016 7361702f 6974732f 77656267 75692048 |sap/its/webgui H|
[Thr 6876] 0000000003F76078 000032 5454502f 312e310d 0a416363 6570743a |TTP/1.1..Accept:|
[Thr 6876] 0000000003F76088 000048 202a2f2a 0d0a4163 63657074 2d4c616e | */*..Accept-Lan|
..."
The WDP will reach the web application server ABAP via HTTPS:
"...
[Thr 6876] HttpPortTableMatchPort: Port 0, webdispatcher.foo.bar:10000 (<WDP IP>:10000) matches request
[Thr 6876] ICR: IcrFindTargetSystem(0000000002D614F0, '/sap/bc/gui/sap/its/webgui' -> 0
[Thr 6876] HttpGetRouteTargetSystem: SID='AAA'
[Thr 6876] ICT: IctLookupPathTable() -> 0
[Thr 6876] HTR: found stack ABAP for URL /sap/bc/gui/sap/its/webgui
[Thr 6876] HTR: routing destination type = ICF/ABAP .
[Thr 6876] HTR: No esid found in request
[Thr 6876] HTR: HtrIExtractSessionID -> '' 0
[Thr 6876] HTR: stateless request (no valid session ID found) or initial request for stored session id
[Thr 6876] ICR: IcrIGetMinLoadServer: server 'HOST_AAA_00'1 delta=400 load=0/0valid=1 resp=1 capacity=10
[Thr 6876] ICR: IcrIFindMatchingPort for prot=1 stack=1 vhost=-1
[Thr 6876] ICR: IcrIFindMatchingPort: compare with 0 0 8000 10
[Thr 6876] ICR: IcrIFindMatchingPort: compare with 1 0 443 10
[Thr 6876] ICR: IcrIFindMatchingPort: found matching port: prot=1 vhost=0 port=443 f=10
[Thr 6876] ICR: IcrIGetMinLoadServer: near-zero load #0: HOST_AAA_00
[Thr 6876] ICR: IcrAttachToServer: next destination server 'HOST_AAA_00'1 10 1 0 port:443/1/0
..."
Since the connection to the server uses HTTPS, a new SSL handshake is necessary:
"...
[Thr 6876] NiHLGetNodeAddr: found hostname '<FQDN WAS>' in cache
[Thr 6876] NiIGetNodeAddr: hostname '<FQDN WAS>' = addr <WAS IP>
[Thr 6876] NiIGetServNo: servicename '443' = port 443
[Thr 6876] NiICreateHandle: hdl 153 state NI_INITIAL_CON
[Thr 6876] NiIInitSocket: set default settings for new hdl 153/sock 32916 (I4; ST)
[Thr 6876] NiIBlockMode: set blockmode for hdl 153 FALSE
[Thr 6876] NiIConnectSocket: hdl 153 is connecting to <WAS IP>:443 (timeout=5000)
[Thr 6876] SiPeekPendConn: connection of sock 32916 established
[Thr 6876] NiICheckPendConnection: connection of hdl 153 to <WAS IP>:443 established
[Thr 6876] NiIConnect: hdl 153 took local address <WDP IP>:53692
[Thr 6876] NiIConnect: state of hdl 153 NI_CONNECTED
[Thr 6876] IcmConnPoolConnect: Connection to host: <FQDN WAS>, service: 443 established (nihdl=153)
[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=00000000026CC6E8, role=1 (CLIENT), auth_type=0 (NO_CLIENT_CERT))
[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K
[Thr 6876] in: args = "role=3 (ANONYMOUS-CLIENT), auth_type=0 (NO_CLIENT_CERT)"
[Thr 6876] out: sssl_hdl = 0000000002D7DA30
[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)
[Thr 6876] NiIBlockMode: set blockmode for hdl 153 TRUE
[Thr 6876] SSL NI-sock: local=<WDP IP>:53692 peer=<WAS IP>:443
[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)==SAP_O_K
[Thr 6876] ->> SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30, &hostname=0000000002D4FE20)
[Thr 6876] <<- SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30)==SAP_O_K
[Thr 6876] in: hostname = "<FQDN WAS>"
[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7DA30)
[Thr 6876] SapISSLUseSessionCache(): Creating NEW session (0 cached)
[Thr 6876] SecudeSSL_SessionStart(): created new SSL session (TLSv1.0)
[Thr 6876] Server Certificate available (FCPath-Len= 0)
[Thr 6876] Server's List of trusted CA DNames (from cert-request message):
[Thr 6876] #1 "CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??"
[Thr 6876] #2 "CN=kkkkkkkkkkkk, O=wwwwwwwwww, C=??"
[Thr 6876] secudessl_AddSSL2Cache(): Creating new SSSL_CACHE entry
[Thr 6876] HexDump of native SSL session ID { &buf= 0000000002D53F64, buf_len= 32 }
[Thr 6876] 00000: 5e 4a f0 f1 1d 0e 94 c8 c8 37 d0 c5 66 4b c1 e0 ^J...... .7..fK..
[Thr 6876] 00010: 80 26 ee b5 b1 0e 36 bb 92 45 10 c9 3a 8d ad e4 .&....6. .E..:...
...
[Thr 6876] Subject DN: CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??
[Thr 6876] Issuer DN: CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??
[Thr 6876] Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA
[Thr 6876] MatchTargetName("<FQDN WAS>", CN="<FQDN WAS>") == EXACT match
[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7DA30)==SAP_O_K
[Thr 6876] status = "new SSL session"
[Thr 6876] Server DN = " CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??"
[Thr 6876] IcmConnPoolNewEntry: created new entry 000000000B8A0930[0] for pool 000000000B809610 (nihdl=153, ssl=0000000002D7DA30)
[Thr 6876] ICR: IcrAttachToServer('!DIAGS' 1 2 4100 1 port:443/1/0) 0-> 0
[Thr 6876] HTR: routing to destination 'HOST_AAA_00' (balanceable=0)
[Thr 6876] server triggered
[Thr 6876] Pool Entry 000000000B8A0930:
[Thr 6876] NI: 153, SSL: 0000000002D7DA30, allocated: 1, inuse: 1, desc: 000000000B8096B0
..."
A few seconds later the WDP sends the request to the application server:
"...
[Thr 6876] local host: <WDP IP>:53692
[Thr 6876] remote host: <WAS IP>:443
[Thr 6876] HTR: forwarding buffer to server (443)
[Thr 6876] Address Offset Send to AppServer via net:
[Thr 6876] ------------------------------------------------------------------------
[Thr 6876] 0000000003F76058 000000 47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|
[Thr 6876] 0000000003F76068 000016 7361702f 6974732f 77656267 75692048 |sap/its/webgui H|
[Thr 6876] 0000000003F76078 000032 5454502f 312e310d 0a616363 6570743a |TTP/1.1..accept:|
[Thr 6876] 0000000003F76088 000048 202a2f2a 0d0a6163 63657074 2d6c616e | */*..accept-lan|
..."
A response is received from the application server:
"...
[Thr 6876] Address Offset IcmReadFromPartner received
[Thr 6876] ------------------------------------------------------------------------
[Thr 6876] 0000000003F76058 000000 48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|
[Thr 6876] 0000000003F76068 000016 0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|
[Thr 6876] 0000000003F76078 000032 6578742f 68746d6c 3b206368 61727365 |ext/html; charse|
[Thr 6876] 0000000003F76088 000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|
[Thr 6876] 0000000003F76098 000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|
[Thr 6876] 0000000003F760A8 000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|
..."
The response is then re-encrypted and sent to the web browser:
"...
[Thr 6876] IcmPlCheckRetVal: Next status: READ_REQUEST(1)
[Thr 6876] IcmHandleNetWrite(id=0/18): HandleServData returned: 1
[Thr 6876] Address Offset IcmWriteToConn:
[Thr 6876] ------------------------------------------------------------------------
[Thr 6876] 0000000003F76058 000000 48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|
[Thr 6876] 0000000003F76068 000016 0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|
[Thr 6876] 0000000003F76078 000032 6578742f 68746d6c 3b206368 61727365 |ext/html; charse|
[Thr 6876] 0000000003F76088 000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|
[Thr 6876] 0000000003F76098 000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|
[Thr 6876] 0000000003F760A8 000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|
..."
Finally, the thread is free to wait a new request:
"...
[Thr 6876] IcmWriteToConn(id=0/18): wrote data to partner (len = 5243)
[Thr 6876] IcmNetBufFree: free netbuf: 0000000000759C10 out of 1 used
[Thr 6876] MPI<5>0#4 DiscardOutbuf 0 0 0 1a5fa0 0 0 -> 0000000003F75FF0 MPI_OK
[Thr 6876] NiWakeupExec: send wakeup signal to 49627->64998 (sock 33032)
[Thr 6876] IcmConnRollOut: connection (id=0/18) rolled out: reason:1 role:1 timeout:60
[Thr 6876] CONNECTION (id=0/18):
used: 1, type: default, role: Server(1), stateful: 0
NI_HDL: 147, protocol: HTTPS(2)
local host: <WDP IP>:10000 ()
remote host: <Client IP>:53691 ()
status: READ_REQUEST
connect time: xx.zz.yyyy aa:bb:cc
MPI request: <4> MPI response: <5>
request_buf_size: 0 response_buf_size: 0
request_buf_used: 0 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
[Thr 6876] IcmWorkerThread: SSL Session rolled out
[Thr 6876] IcmWorkerThread: Thread 2: Waiting for event
..."
If the parameter "icm/trace_secured_data = 1" is not set, it is not possible to see the HTML content. The following log entry appears:
"…
BINDUMP of content denied
…"
Stay tuned for my next blog about End-to-End SSL in the SAP Web Dispatcher!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
24 | |
11 | |
10 | |
8 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 |