Skip to Content
0

Connection between SAP FIM (Tomcat) and BPC NW through Web Dispatcher

Nov 15, 2017 at 11:01 AM

253

avatar image

Hi,

I need to use SAP Web Dispatcher as redirect for BPC systems.

I set up following:
https://bpc.webdisp:7777/sap/bpc/web --> webdisp redirect to --> http://bwbpcdev:8000/sap/bpc/web

I used this conf:

wdisp/system_0 = MSHOST=bwbpcdev, MSPORT=8101, SID=DBC, SRCVHOST=bpc.bobpcwd:7777, SSL_ENCRYPT=0

icm/server_port_0 = PROT=HTTPS,PORT=7777, TIMEOUT=340,PROCTIMEOUT=600, SSLCONFIG=ssl_config_0
ssl/server_pse = bpc.pse
icm/ssl_config_0 = CRED=bpc.pse

Also, when users go to https url all works fine, at first time they need to install certificate via browser and then all is good.

Also I need to configurate connection between SAP FIM (Tomcat) and BPC through that Web Dispatcher. SAP FIM uses web services technology to connect to BPC.

At first I configurate my WebDispatcher via http, and connection between FIM and BPC works fine.

But when I configure httpS on WebDisp- connection is broken.

Also I googled, and found that need to add webdispatcher ssl certificate to tomcat truststore, SO via keytool utility I generated truststore(MYtruststore) and added webdispatcher certificate (bpc.pse) to that truststore (MYtruststore.jks). Then I added options to Tomcat --> Java:

-Djavax.net.ssl.trustStore=C:\TEMP\MYtruststore.jks
-Djavax.net.ssl.trustStorePassword=changeit

But now I got new error:

On Tomcat (SAP FIM) side:

com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available

On WebDisp side:

[Thr 139783510734592] Wed Nov 15 15:57:36:803 2017
[Thr 139783510734592] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 139783510734592] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 139783510734592] srv SSL session PSE "/usr/sap/WER/W03/sec/bpc.pse"
[Thr 139783510734592] session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
[Thr 139783510734592] Server SSL_CTX 7f21dc1ecee0 pvflags = 897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 139783510734592] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 139783510734592] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 139783510734592] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139783510734592] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 139783510734592] SSL API error
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_accept
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139783510734592] received a fatal TLS certificate unknown alert message from the peer
[Thr 139783510734592] << ---------- End of Secu-SSL Errorstack ----------
[Thr 139783510734592] SSL NI-hdl 85: local=192.168.88.31:7777 peer=192.168.88.124:57378
[Thr 139783510734592] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f21cc0008c0)==SSSLERR_SSL_READ
[Thr 139783510734592] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1723]

I check ICM log on BPC side - it's clear.

Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.

Can you help me please?

PS: Also I attach trace file with trace level 2 (dev-webdisp.txt )

dev-webdisp.txt (59.4 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Milen Dontcheff
Nov 16, 2017 at 09:39 AM
0

Please have a look on this document:

SAP Web Dispatcher and SSL

and implement the necessary configuration settings on the SAP WD, and SAP system instance, profiles.

I'd rather recommend you to use either scenario 3 or 5.

In addition I'd suggest to use:

icm/HTTP/redirect_xx

for redirecting the calls.

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Hi Milen,

thanks.

I use scenario 3.

I already read your links, but I didn't find resolution of my problem.

Only I configured scenario 3 without CA (self-sighed). Browsers works fine, but something with Tomcat (FIM).

0

Have you implemented the redirection with:

icm/HTTP/redirect_xx

0
Isaias Freitas
Nov 23, 2017 at 06:18 PM
0

Hello Daulet,

It seems that you need to import the Web Dispacther SSL certificate at the TomCat, so it trusts the certificate (similar to what the end users are doing - installing the Web Dispatcher certificate on the browser, so the browser does not raise security alerts).

Best regards,

Isaías

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Hi Isaias,

I already imported WebDisp SSL certificate via keytool utility, I generated truststore(MYtruststore) and added webdispatcher certificate (bpc.pse) to that truststore (MYtruststore.jks). Then I added options to Tomcat --> Java:

-Djavax.net.ssl.trustStore=C:\TEMP\MYtruststore.jks
-Djavax.net.ssl.trustStorePassword=changeit

But I got errors listed above.
0

Hello Daulet,

I am sorry. I do not have knowledge on Tomcat servers... so, I cannot provide further advice on how to configure it to trust the Web Dispatcher certificate.

Best regards,

Isaías

0