Skip to Content
1

Web Dispatcher https for BPC NW systems

Oct 26, 2017 at 06:40 PM

694

avatar image

Hi,

I need to use SAP Web Dispatcher as redirect for BPC systems.

I could to set up following:
PRODUCTIVE: https://webdisp:7777/sap/bpc/web --> webdisp redirect to --> http://prdbpc:8000/sap/bpc/web
QUALITY: https://webdisp:8888/sap/bpc/web --> webdisp redirect to --> http://qasbpc:8000/sap/bpc/web


My web dispatcher configuration:

wdisp/system_0 = SID=PRD, MSHOST=PRDbpc, MSPORT=8101, SRCSRV=*:7777, SSL_ENCRYPT=0

wdisp/system_1 = SID=QAS, MSHOST=QASbpc, MSPORT=8101, SRCSRV=*:8888, SSL_ENCRYPT=0

icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600

icm/server_port_1 = PROT=HTTPS,PORT=8888, TIMEOUT=340,PROCTIMEOUT=600

At first time I have certificate error in browser, then I install certificate via browser and all works fine.

But many users often confused between Prod and Quality system, because URL is very similar. (difference only in port)

Our consultants asks about url like:

https://PRD.webdisp:7777/sap/bpc/web
https://QAS.webdisp:7777/sap/bpc/web

(it's really more usability)

I tried to setup it via rules:

if %{HTTP_HOST} regimatch PRD.webdisp*
SetHeader x-sap-webdisp-target-sid PRD [break]

if %{HTTP_HOST} regimatch QAS.webdisp*
SetHeader x-sap-webdisp-target-sid QAS [break]

URL opens fine, but I have certificate error in browser:


I tried to many time to install certificate via browser, but it still getting error about untrusted site.

I could click to "Countinue to this website (not recommended)", but then I cannot run EPM add-in:


As I know my browser doesn't accept certificate because I use hostname in url Prd.webdisp whereas true hostname is 'webdisp'.
Help me please, how can I setup "normal" https connection to my bpc systems?
Thanks...

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Isaias Freitas
Oct 27, 2017 at 11:47 PM
0

Hello,

You will have to create to certificates, and configure the Web Dispatcher to use one for the production hostname and the other for the quality hostname.

In addition, you do not need to use the modification rules do determine which backend system (prod or QA) should take the request.

Check out the WIKI pages below.

Cheers!

Isaías

Show 5 Share
10 |10000 characters needed characters left characters exceeded

Thanks Isaias!

0

You are welcome! :-)

0
Hi Isaias,

it's me again.

I got new problem, I need to establish connection between Tomcat application (SAP FIM, http) --> WebDisp (httpS)-->BPC(http).

When I use HTTP on WebDisp side, all works fine, but when I tried to use https on Webidsp I got errors -

On Tomcat (FIM) side:

com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available

On WebDisp side:

[Thr 140080339609344] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 140080339609344] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 140080339609344] srv SSL session PSE "/usr/sap/WBC/W00/sec/bpc.pse"
[Thr 140080339609344] session ciphersuites=HIGH:PFS:MEDIUM:+e3DES:!aNULL
[Thr 140080339609344] Server SSL_CTX 7f66f8203060 pvflags=897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 140080339609344] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 140080339609344] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 140080339609344] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 140080339609344] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 140080339609344] SSL API error
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] 0xa0600263 | SSL | ssl3_accept
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 140080339609344] received a fatal TLS certificate unknown alert message from the peer
[Thr 140080339609344] << ---------- End of Secu-SSL Errorstack ----------
[Thr 140080339609344] SSL NI-hdl 85: local=192.168.88.31:7777 peer=192.168.88.124:64613
[Thr 140080339609344] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f66ec0008c0)==SSSLERR_SSL_READ
[Thr 140080339609344] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1894]

My WebDisp configuration now:

wdisp/system_0 = MSHOST=bwbpcdev, MSPORT=8101, SID=DBC, SRCVHOST=bpc.bobpcwd:7777, SSL_ENCRYPT=0

icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600, SSLCONFIG=ssl_config_0
ssl/server_pse = bpc.pse
icm/ssl_config_0 = CRED=bpc.pse

On tomcat (FIM) side I added bpc.pse certificate to keystore.

I check ICM log on BPC side - it's clear.

Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.

Can you help me please?

0

Hello Daulet,

Since this is a new issue, you should create a new question in the community.

Anyway, the error seems to be:

received a fatal TLS certificate unknown alert message from the peer

Please verify whether this SAP WIKI page can help you.

Best regards,

Isaías

0

Hi Isaias, thanks for help.

I created new question in the community

https://answers.sap.com/questions/355467/connection-between-sap-fim-tomcat-and-bpc-nw-throu.html

can you look at that?
0