on 11-15-2017 11:01 AM
Hi,
I need to use SAP Web Dispatcher as redirect for BPC systems.
I set up following:
https://bpc.webdisp:7777/sap/bpc/web --> webdisp redirect to --> http://bwbpcdev:8000/sap/bpc/web
I used this conf:
wdisp/system_0 = MSHOST=bwbpcdev, MSPORT=8101, SID=DBC, SRCVHOST=bpc.bobpcwd:7777, SSL_ENCRYPT=0
icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600, SSLCONFIG=ssl_config_0
ssl/server_pse = bpc.pse
icm/ssl_config_0 = CRED=bpc.pse
Also, when users go to https url all works fine, at first time they need to install certificate via browser and then all is good.
Also I need to configurate connection between SAP FIM (Tomcat) and BPC through that Web Dispatcher. SAP FIM uses web services technology to connect to BPC.
At first I configurate my WebDispatcher via http, and connection between FIM and BPC works fine.
But when I configure httpS on WebDisp- connection is broken.
Also I googled, and found that need to add webdispatcher ssl certificate to tomcat truststore, SO via keytool utility I generated truststore(MYtruststore) and added webdispatcher certificate (bpc.pse) to that truststore (MYtruststore.jks). Then I added options to Tomcat --> Java:
-Djavax.net.ssl.trustStore=C:\TEMP\MYtruststore.jks
-Djavax.net.ssl.trustStorePassword=changeit
But now I got new error:
On Tomcat (SAP FIM) side:
com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available
On WebDisp side:
[Thr 139783510734592] Wed Nov 15 15:57:36:803 2017
[Thr 139783510734592] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 139783510734592] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 139783510734592] srv SSL session PSE "/usr/sap/WER/W03/sec/bpc.pse"
[Thr 139783510734592] session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
[Thr 139783510734592] Server SSL_CTX 7f21dc1ecee0 pvflags = 897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 139783510734592] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 139783510734592] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 139783510734592] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139783510734592] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 139783510734592] SSL API error
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_accept
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] << ---------- End of Secu-SSL Errorstack ----------
[Thr 139783510734592] SSL NI-hdl 85: local=192.168.88.31:7777 peer=192.168.88.124:57378
[Thr 139783510734592] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f21cc0008c0)==SSSLERR_SSL_READ
[Thr 139783510734592] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1723]
I check ICM log on BPC side - it's clear.
Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.
Can you help me please?
PS: Also I attach trace file with trace level 2 (dev-webdisp.txt )
Hello Daulet,
It seems that you need to import the Web Dispacther SSL certificate at the TomCat, so it trusts the certificate (similar to what the end users are doing - installing the Web Dispatcher certificate on the browser, so the browser does not raise security alerts).
Best regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Isaias,
I already imported WebDisp SSL certificate via keytool utility, I generated truststore(MYtruststore) and added webdispatcher certificate (bpc.pse) to that truststore (MYtruststore.jks). Then I added options to Tomcat --> Java:
-Djavax.net.ssl.trustStore=C:\TEMP\MYtruststore.jks
-Djavax.net.ssl.trustStorePassword=changeit
Please have a look on this document:
and implement the necessary configuration settings on the SAP WD, and SAP system instance, profiles.
I'd rather recommend you to use either scenario 3 or 5.
In addition I'd suggest to use:
for redirecting the calls.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you implemented the redirection with:
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.