Skip to Content

Connect PO to third party with webdispatcher due to insufficient cipher suites

All,

We're facing an issue with PO not being able to communicate with a third party due to the wrong cipher suites. I've seen several posts regarding missing cipher suites and noticed the advice to use a Webdispatcher for this. We cannot get this to work. It also feels like we're using the Webdispatcher the other way around.

The siutation is as followed:

The third party says we don't need to exchange certificates. It should be accepted without any issues.

For now we've installed the Webdispatcher on the PO server. It's configured as followed:

SAPSYSTEMNAME = WDD
SAPGLOBALHOST = <server>
SAPSYSTEM = 02
INSTANCE_NAME = W02
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
DIR_PROFILE = \\<server>\sapmnt\WDD\SYS\profile
_PF = $(DIR_PROFILE)\WDD_W02_<server?
SETENV_00 = PATH=$(DIR_EXECUTABLE);%PATH%
ssl/ssl_lib = C:\usr\sap\WDD\SYS\exe\uc\NTAMD64\sapcrypto.dll
ssl/server_pse = C:\usr\sap\WDD\W02\sec\SAPSSLS.pse
ssl/client_pse = C:\usr\sap\WDD\W02\sec\SAPSSLC.pse
#-----------------------------------------------------------------------
# Cipher suites
#-----------------------------------------------------------------------
ssl/ciphersuites = PFS:HIGH:MEDIUM
ssl/client_ciphersuites = PFS:HIGH:MEDIUM
#-----------------------------------------------------------------------
# Back-end system configuration
#-----------------------------------------------------------------------
wdisp/system_0 = SID=EXT, EXTSRV=https://api.<thirdparty>.nl, SRCURL=/api/v1/shipments, SRCSRV=*:8102
#-----------------------------------------------------------------------
# Configuration of maximum number of concurrent connections
#-----------------------------------------------------------------------
icm/max_conn = 500
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTPS,PORT=8102
#-----------------------------------------------------------------------
# SAP Web Dispatcher Administration
#-----------------------------------------------------------------------
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)
#-----------------------------------------------------------------------
# Start webdispatcher
#-----------------------------------------------------------------------
_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)
Restart_Program_00 = local $(_WD) pf=$(_PF)
SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec


We made sure that port 8102 is open for traffic from the third party. Also the sapcryptolib is on a level high enough to handle the cipher suites.

The monitor application servers in the Webdispatcher admin shows the following:

after activating (activate server EXTERN) we created a trust. The third party automatically returned two certificates which we imported in the client PSE;

As an extra precaution the certificates have also been imported into the server PSE.

The option to ping the https servers brings back the correct site in the browser and eventually the question mark under valid (HTTPS) turns to green check mark.

Our questions are:

* should this be possible and if so, is the above configuration correct?
* should certificates be exchanged between PO and the Webdispatcher?

If there is a how-to-guide or blog I've missed or you have any thoughts on this please let me know.

Thanks,

Rob

9c9py.png (19.0 kB)
trust.png (17.0 kB)
Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Posted on Mar 26, 2019 at 06:41 AM

    Hi Hellemons,

    Web dispatcher is a reverse proxy, not forward proxy. So, Web dispatcher is accept request from third party for on behalf of SAP System hosted services. But if you want to communicate from SAP System to Third party systems, then i don't think you can achieve it as its not a forward proxy.

    This link may be helpful for you:

    https://help.sap.com/doc/saphelp_nw73/7.3.16/en-US/34/0c46cfa2534fdbbc2f4ddb7d1302c6/content.htm?no_cache=true

    Regards,

    Anoop Rai

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 14, 2020 at 01:57 AM

    I am not sure what's the third party requirement on cipher suite, but you want parameter :

    ssl/client_ciphersuites = PFS:HIGH:MEDIUM

    in the PO system instead of WD.

    Regards,
    Harie

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.