Skip to Content
0
Sep 07, 2019 at 01:30 PM

Please help with SAP Web Dispatcher (SSL issue)

587 Views Last edit Sep 10, 2019 at 07:44 AM 4 rev

Dear Experts,

I have setup a SAP Web Dispatcher. I have added the following security-related parameters in the profile:

wdisp/ssl_encrypt = 1
ssl/ssl_lib = /sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst
ssl/server_pse = /usr/sap/<SID>/W00/sec/<SID>.pse
wdisp/ssl_auth = 0
icm/HTTPS/verify_client = 0
wdisp/add_client_protocol_header = true
is/HTTP/show_server_header = false
is/HTTP/show_detailed_errors = false
ssl/ciphersuites = 128:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:HIGH:-MEDIUM:!3DES:!ADH:!aNULL:!DES:!DSS:!ECDSA:!eNULL:!EXP:!EXPORT:!MD5:!PSK:!RC4:!SEED:!SSLV2:!LOW

However, the dev_webdisp file looks quite miserable.
I have two main concerns:

1. I am using Kernel 7.73. SAPcryptoLib should be part of it. At least I can see all the files in my exe directory!!

[Thr 139668973037312] =================================================
[Thr 139668973037312] = SSL Initialization platform tag=(linuxx86_64_gcc43)
[Thr 139668973037312] = (773_REL patchno 213,Aug 2 2019,mt,ascii-uc, 16/64/64)
[Thr 139668973037312] = [ipf] ssl/ssl_lib=/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst
[Thr 139668973037312] = resulting Filename = "/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst"
[Thr 139668973037312] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst") FAILED
"/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst: invalid ELF header" [dlux.c 550]
[Thr 139668973037312] *** ERROR => secussl_LoadLibrary(): Unable to load "/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst" [ssslsecu.c 635]
[Thr 139668973037312] *** ERROR => Loading of SSL library failed -- NO SSL available!
[Thr 139668973037312] =================================================
[Thr 139668973037312]
[Thr 139668973037312] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_LIB_NOT_FOUND
[Thr 139668973037312] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst") FAILED
"/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst: invalid ELF header" [dlux.c 550]
[Thr 139668973037312] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("libsapsecu.so") FAILED
"libsapsecu.so: cannot open shared object file: No such file or directory" [dlux.c 550]
[Thr 139668973037312] =================================================

WHY this error ? How come invalid ELF header ? The file does exist and is owned by <SID>adm !!

2. There is some problem with the ciphersuits:

[Thr 139668973037312] *** ERROR => cannot set ciphersuites "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA2
56:EECDH:EDH+aRSA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:HIGH:-MEDIUM:!3DES:!ADH:!aNULL:!DES:!DSS:!ECDSA:!eNULL:!EXP:!EXPORT:!MD5:!PSK:!RC4:!SEED:!SSLV2:!LOW"
for PSE "/usr/sap/WD1/W00/sec/WD1.pse" [ssslsecu.c 2993]
[Thr 139668973037312] secussl_Create_SSL_CTX: SSL_CTX_set_default_cipher_suites() failed (1285/0x00000505)
[Thr 139668973037312] => "A function called indirectly got an invalid parameter"
[Thr 139668973037312] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139668973037312] 0x00000505 | SAPCRYPTOLIB | SSL_CTX_set_default_cipher_suites
[Thr 139668973037312] SAPCRYPTO API error
[Thr 139668973037312] A function called indirectly got an invalid parameter
[Thr 139668973037312] 0xa0600000 | SSL | sec_SSL_CTX_set_default_cipher_suites
[Thr 139668973037312] A function called indirectly got an invalid parameter
[Thr 139668973037312] 0xa060000b | SSL | ssl_create_cipher_suites
[Thr 139668973037312] A function parameter is invalid
[Thr 139668973037312] Invalid character in cipher suite string:
[Thr 139668973037312] << ---------- End of Secu-SSL Errorstack ----------

PLEASE kindly let me know what is wrong... All the documents and threads I found are very foggy and lack clear explanation!!! :-( Many thanks in advance!