cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connection between SAP FIM (Tomcat) and BPC NW through Web Dispatcher

Olj
Participant

on ‎11-15-2017 11:01 AM

0 Kudos

Hi,

I need to use SAP Web Dispatcher as redirect for BPC systems.

I set up following:
https://bpc.webdisp:7777/sap/bpc/web --> webdisp redirect to --> http://bwbpcdev:8000/sap/bpc/web

I used this conf:

wdisp/system_0 = MSHOST=bwbpcdev, MSPORT=8101, SID=DBC, SRCVHOST=bpc.bobpcwd:7777, SSL_ENCRYPT=0

icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600, SSLCONFIG=ssl_config_0
ssl/server_pse = bpc.pse
icm/ssl_config_0 = CRED=bpc.pse

Also, when users go to https url all works fine, at first time they need to install certificate via browser and then all is good.

Also I need to configurate connection between SAP FIM (Tomcat) and BPC through that Web Dispatcher. SAP FIM uses web services technology to connect to BPC.

At first I configurate my WebDispatcher via http, and connection between FIM and BPC works fine.

But when I configure httpS on WebDisp- connection is broken.

Also I googled, and found that need to add webdispatcher ssl certificate to tomcat truststore, SO via keytool utility I generated truststore(MYtruststore) and added webdispatcher certificate (bpc.pse) to that truststore (MYtruststore.jks). Then I added options to Tomcat --> Java:

-Djavax.net.ssl.trustStore=C:\TEMP\MYtruststore.jks
-Djavax.net.ssl.trustStorePassword=changeit

But now I got new error:

On Tomcat (SAP FIM) side:

com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available

On WebDisp side:

[Thr 139783510734592] Wed Nov 15 15:57:36:803 2017
[Thr 139783510734592] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 139783510734592] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 139783510734592] srv SSL session PSE "/usr/sap/WER/W03/sec/bpc.pse"
[Thr 139783510734592] session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
[Thr 139783510734592] Server SSL_CTX 7f21dc1ecee0 pvflags = 897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 139783510734592] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 139783510734592] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 139783510734592] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139783510734592] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 139783510734592] SSL API error
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_accept
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] << ---------- End of Secu-SSL Errorstack ----------
[Thr 139783510734592] SSL NI-hdl 85: local=192.168.88.31:7777 peer=192.168.88.124:57378
[Thr 139783510734592] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f21cc0008c0)==SSSLERR_SSL_READ
[Thr 139783510734592] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1723]

I check ICM log on BPC side - it's clear.

Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.

Can you help me please?

PS: Also I attach trace file with trace level 2 (dev-webdisp.txt )

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

isaias_freitas
Advisor
Advisor
‎11-23-2017 6:18 PM
0 Kudos

Hello Daulet,

It seems that you need to import the Web Dispacther SSL certificate at the TomCat, so it trusts the certificate (similar to what the end users are doing - installing the Web Dispatcher certificate on the browser, so the browser does not raise security alerts).

Best regards,

Isaías

Show replies
Show replies
Olj
Participant
‎11-27-2017 4:06 AM
0 Kudos

Hi Isaias,

I already imported WebDisp SSL certificate via keytool utility, I generated truststore(MYtruststore) and added webdispatcher certificate (bpc.pse) to that truststore (MYtruststore.jks). Then I added options to Tomcat --> Java:

-Djavax.net.ssl.trustStore=C:\TEMP\MYtruststore.jks
-Djavax.net.ssl.trustStorePassword=changeit

But I got errors listed above.
isaias_freitas
Advisor
Advisor
‎11-27-2017 11:44 PM
0 Kudos

Hello Daulet,

I am sorry. I do not have knowledge on Tomcat servers... so, I cannot provide further advice on how to configure it to trust the Web Dispatcher certificate.

Best regards,

Isaías

former_member189220
Active Contributor
‎11-16-2017 9:39 AM
0 Kudos

Please have a look on this document:

SAP Web Dispatcher and SSL

and implement the necessary configuration settings on the SAP WD, and SAP system instance, profiles.

I'd rather recommend you to use either scenario 3 or 5.

In addition I'd suggest to use:

icm/HTTP/redirect_xx

for redirecting the calls.

Show replies
Show replies
Olj
Participant
‎11-19-2017 2:13 PM
0 Kudos
Hi Milen,

thanks.

I use scenario 3.

I already read your links, but I didn't find resolution of my problem.

Only I configured scenario 3 without CA (self-sighed). Browsers works fine, but something with Tomcat (FIM).

former_member189220
Active Contributor
‎11-20-2017 9:39 AM
0 Kudos

Have you implemented the redirection with:

icm/HTTP/redirect_xx

Ask a Question