cancel
Showing results for 
Search instead for 
Did you mean: 

Web Dispatcher https for BPC NW systems

Olj
Participant
2,273

Hi,

I need to use SAP Web Dispatcher as redirect for BPC systems.

I could to set up following:
PRODUCTIVE: https://webdisp:7777/sap/bpc/web --> webdisp redirect to --> http://prdbpc:8000/sap/bpc/web
QUALITY: https://webdisp:8888/sap/bpc/web --> webdisp redirect to --> http://qasbpc:8000/sap/bpc/web


My web dispatcher configuration:

wdisp/system_0 = SID=PRD, MSHOST=PRDbpc, MSPORT=8101, SRCSRV=*:7777, SSL_ENCRYPT=0

wdisp/system_1 = SID=QAS, MSHOST=QASbpc, MSPORT=8101, SRCSRV=*:8888, SSL_ENCRYPT=0

icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600

icm/server_port_1 = PROT=HTTPS,PORT=8888, TIMEOUT=340,PROCTIMEOUT=600

At first time I have certificate error in browser, then I install certificate via browser and all works fine.

But many users often confused between Prod and Quality system, because URL is very similar. (difference only in port)

Our consultants asks about url like:

https://PRD.webdisp:7777/sap/bpc/web
https://QAS.webdisp:7777/sap/bpc/web

(it's really more usability)

I tried to setup it via rules:

if %{HTTP_HOST} regimatch PRD.webdisp*
SetHeader x-sap-webdisp-target-sid PRD [break]

if %{HTTP_HOST} regimatch QAS.webdisp*
SetHeader x-sap-webdisp-target-sid QAS [break]

URL opens fine, but I have certificate error in browser:


I tried to many time to install certificate via browser, but it still getting error about untrusted site.

I could click to "Countinue to this website (not recommended)", but then I cannot run EPM add-in:


As I know my browser doesn't accept certificate because I use hostname in url Prd.webdisp whereas true hostname is 'webdisp'.
Help me please, how can I setup "normal" https connection to my bpc systems?
Thanks...

Accepted Solutions (1)

Accepted Solutions (1)

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello,

You will have to create to certificates, and configure the Web Dispatcher to use one for the production hostname and the other for the quality hostname.

In addition, you do not need to use the modification rules do determine which backend system (prod or QA) should take the request.

Check out the WIKI pages below.

Cheers!

Isaías

Olj
Participant
0 Kudos

Thanks Isaias!

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

You are welcome! 🙂

Olj
Participant
0 Kudos
Hi Isaias,

it's me again.

I got new problem, I need to establish connection between Tomcat application (SAP FIM, http) --> WebDisp (httpS)-->BPC(http).

When I use HTTP on WebDisp side, all works fine, but when I tried to use https on Webidsp I got errors -

On Tomcat (FIM) side:

com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available

On WebDisp side:

[Thr 140080339609344] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 140080339609344] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 140080339609344] srv SSL session PSE "/usr/sap/WBC/W00/sec/bpc.pse"
[Thr 140080339609344] session ciphersuites=HIGH:PFS:MEDIUM:+e3DES:!aNULL
[Thr 140080339609344] Server SSL_CTX 7f66f8203060 pvflags=897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 140080339609344] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 140080339609344] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 140080339609344] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 140080339609344] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 140080339609344] SSL API error
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] 0xa0600263 | SSL | ssl3_accept
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] << ---------- End of Secu-SSL Errorstack ----------
[Thr 140080339609344] SSL NI-hdl 85: local=192.168.88.31:7777 peer=192.168.88.124:64613
[Thr 140080339609344] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f66ec0008c0)==SSSLERR_SSL_READ
[Thr 140080339609344] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1894]

My WebDisp configuration now:

wdisp/system_0 = MSHOST=bwbpcdev, MSPORT=8101, SID=DBC, SRCVHOST=bpc.bobpcwd:7777, SSL_ENCRYPT=0

icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600, SSLCONFIG=ssl_config_0
ssl/server_pse = bpc.pse
icm/ssl_config_0 = CRED=bpc.pse

On tomcat (FIM) side I added bpc.pse certificate to keystore.

I check ICM log on BPC side - it's clear.

Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.

Can you help me please?

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Daulet,

Since this is a new issue, you should create a new question in the community.

Anyway, the error seems to be:

received a fatal TLS certificate unknown alert message from the peer

Please verify whether this SAP WIKI page can help you.

Best regards,

Isaías

Olj
Participant
0 Kudos

Hi Isaias, thanks for help.

I created new question in the community

https://answers.sap.com/questions/355467/connection-between-sap-fim-tomcat-and-bpc-nw-throu.html

can you look at that?

Answers (0)