Skip to Content
0
Mar 25, 2019 at 11:58 AM

Connect PO to third party with webdispatcher due to insufficient cipher suites

558 Views Last edit Mar 25, 2019 at 06:40 PM 4 rev

All,

We're facing an issue with PO not being able to communicate with a third party due to the wrong cipher suites. I've seen several posts regarding missing cipher suites and noticed the advice to use a Webdispatcher for this. We cannot get this to work. It also feels like we're using the Webdispatcher the other way around.

The siutation is as followed:

The third party says we don't need to exchange certificates. It should be accepted without any issues.

For now we've installed the Webdispatcher on the PO server. It's configured as followed:

SAPSYSTEMNAME = WDD
SAPGLOBALHOST = <server>
SAPSYSTEM = 02
INSTANCE_NAME = W02
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
DIR_PROFILE = \\<server>\sapmnt\WDD\SYS\profile
_PF = $(DIR_PROFILE)\WDD_W02_<server?
SETENV_00 = PATH=$(DIR_EXECUTABLE);%PATH%
ssl/ssl_lib = C:\usr\sap\WDD\SYS\exe\uc\NTAMD64\sapcrypto.dll
ssl/server_pse = C:\usr\sap\WDD\W02\sec\SAPSSLS.pse
ssl/client_pse = C:\usr\sap\WDD\W02\sec\SAPSSLC.pse
#-----------------------------------------------------------------------
# Cipher suites
#-----------------------------------------------------------------------
ssl/ciphersuites = PFS:HIGH:MEDIUM
ssl/client_ciphersuites = PFS:HIGH:MEDIUM
#-----------------------------------------------------------------------
# Back-end system configuration
#-----------------------------------------------------------------------
wdisp/system_0 = SID=EXT, EXTSRV=https://api.<thirdparty>.nl, SRCURL=/api/v1/shipments, SRCSRV=*:8102
#-----------------------------------------------------------------------
# Configuration of maximum number of concurrent connections
#-----------------------------------------------------------------------
icm/max_conn = 500
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTPS,PORT=8102
#-----------------------------------------------------------------------
# SAP Web Dispatcher Administration
#-----------------------------------------------------------------------
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)
#-----------------------------------------------------------------------
# Start webdispatcher
#-----------------------------------------------------------------------
_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)
Restart_Program_00 = local $(_WD) pf=$(_PF)
SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec


We made sure that port 8102 is open for traffic from the third party. Also the sapcryptolib is on a level high enough to handle the cipher suites.

The monitor application servers in the Webdispatcher admin shows the following:

after activating (activate server EXTERN) we created a trust. The third party automatically returned two certificates which we imported in the client PSE;

As an extra precaution the certificates have also been imported into the server PSE.

The option to ping the https servers brings back the correct site in the browser and eventually the question mark under valid (HTTPS) turns to green check mark.

Our questions are:

* should this be possible and if so, is the above configuration correct?
* should certificates be exchanged between PO and the Webdispatcher?

If there is a how-to-guide or blog I've missed or you have any thoughts on this please let me know.

Thanks,

Rob

Attachments

9c9py.png (19.0 kB)
trust.png (17.0 kB)