Skip to Content

Connection between SAP FIM (Tomcat) and BPC NW through Web Dispatcher

Hi,

I need to use SAP Web Dispatcher as redirect for BPC systems.

I set up following:
https://bpc.webdisp:7777/sap/bpc/web --> webdisp redirect to --> http://bwbpcdev:8000/sap/bpc/web

I used this conf:

wdisp/system_0 = MSHOST=bwbpcdev, MSPORT=8101, SID=DBC, SRCVHOST=bpc.bobpcwd:7777, SSL_ENCRYPT=0

icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600, SSLCONFIG=ssl_config_0
ssl/server_pse = bpc.pse
icm/ssl_config_0 = CRED=bpc.pse

Also, when users go to https url all works fine, at first time they need to install certificate via browser and then all is good.

Also I need to configurate connection between SAP FIM (Tomcat) and BPC through that Web Dispatcher. SAP FIM uses web services technology to connect to BPC.

At first I configurate my WebDispatcher via http, and connection between FIM and BPC works fine.

But when I configure httpS on WebDisp- connection is broken.

Also I googled, and found that need to add webdispatcher ssl certificate to tomcat truststore, SO via keytool utility I generated truststore(MYtruststore) and added webdispatcher certificate (bpc.pse) to that truststore (MYtruststore.jks). Then I added options to Tomcat --> Java:

-Djavax.net.ssl.trustStore=C:\TEMP\MYtruststore.jks
-Djavax.net.ssl.trustStorePassword=changeit

But now I got new error:

On Tomcat (SAP FIM) side:

com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available

On WebDisp side:

[Thr 139783510734592] Wed Nov 15 15:57:36:803 2017
[Thr 139783510734592] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 139783510734592] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 139783510734592] srv SSL session PSE "/usr/sap/WER/W03/sec/bpc.pse"
[Thr 139783510734592] session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
[Thr 139783510734592] Server SSL_CTX 7f21dc1ecee0 pvflags = 897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 139783510734592] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 139783510734592] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 139783510734592] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139783510734592] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 139783510734592] SSL API error
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_accept
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] << ---------- End of Secu-SSL Errorstack ----------
[Thr 139783510734592] SSL NI-hdl 85: local=192.168.88.31:7777 peer=192.168.88.124:57378
[Thr 139783510734592] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f21cc0008c0)==SSSLERR_SSL_READ
[Thr 139783510734592] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1723]

I check ICM log on BPC side - it's clear.

Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.

Can you help me please?

PS: Also I attach trace file with trace level 2 (dev-webdisp.txt )

dev-webdisp.txt (59.4 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Nov 16, 2017 at 09:39 AM

    Please have a look on this document:

    SAP Web Dispatcher and SSL

    and implement the necessary configuration settings on the SAP WD, and SAP system instance, profiles.

    I'd rather recommend you to use either scenario 3 or 5.

    In addition I'd suggest to use:

    icm/HTTP/redirect_xx

    for redirecting the calls.

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 23, 2017 at 06:18 PM

    Hello Daulet,

    It seems that you need to import the Web Dispacther SSL certificate at the TomCat, so it trusts the certificate (similar to what the end users are doing - installing the Web Dispatcher certificate on the browser, so the browser does not raise security alerts).

    Best regards,

    Isaías

    Add comment
    10|10000 characters needed characters exceeded