Professional Documents
Culture Documents
Document History
Document Version
Description
j1.0
How to Configure Integration between SAP CRM and SAP Cloud for Customers using SAP PI
Document History
Table of Contents
How to Set Up SAP Web Dispatcher for Two Way SSL between SAP Cloud for Customer and SAP
NetWeaver Application Server in 30 Minutes........................................................................................ 1
1
Prerequisites .......................................................................................................................................... 3
1 Business Scenario
This guide will show how easy it is to setup the SAP Web Dispatcher for the SAP cloud to On Premise
integration. The SSL configuration will be based on self-signed certificates. Security wise this is acceptable as
long as the Web Dispatcher is used only for Server to Server communication. For browser based scenarios this
setup cant be used since the self-signed certificates will not be trusted from the Browsers security
environment. One major security risk commonly related with self-signed Certificates is that Certificate
Revocation (CRL) is not supported. If this will have an impact or not, should be analyzed case by case.
2 Prerequisites
The prerequisite of this guide is that the Web Dispatcher is already installed on a server, containing the initial
profile. It is necessary that you have the necessary root certificates as .cer files available during this setup. For
the necessary commands we will provide only relative paths ( e.g. /../sapgenpse) since the absolute path
depends on the installation parameters. We are assuming that the full qualified domain name (fqdn) of your
installation is mywebdisp.customerdomain so you have to replace it by the appropriate values
How to Configure Integration between SAP CRM and SAP Cloud for Customers using SAP PI
Table of Contents
How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration
3.1
https port should be 443, deactivate all http ports for your fqdn
icm/server_port_0 = PROT=HTTP,HOST=localhost,PORT=81$$
icm/server_port_1 = PROT=HTTPS,HOST=mywebdisp.customerdomain,PORT=443,
ACLFILE = D:\..\sec\acl.txt
icm/HTTP/admin_0 =
PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/auth
file),PORT=81$$;443
3.2
Create the Web Dispatcher server PSE together with its own server certificate. Open the command prompt in
administrator mode and enter the command.
/../sapgenpse gen_pse -p D:\usr\sap\wdd\w00\sec\sapssls.pse
Tip: if you need more information about the Syntax: you can enter on any level h and you will receive the help
to the specific command. (example sapgenpse gen_pse h)
If prompted enter:
CN = mywebdisp.customerdomain, OU = customer, O = customer, C = EN
Note: replace customer by the organization owning the WD (e.g. the name of the customer) and replace
mywebdisp.customerdomain by the fqdn of your installation.
3.3
In the file system copy the file Server.PSE and rename the copy to Client.PSE. Server and Client PSE will now
both contain the same certificate!
3.4
Export the server certificate via sapgenpse paste it to notepad and store it on your computer with filename
wdservercert.cer
/../sapgenpse export_own_cert -p d:\usr\sap\wdd\w00\sec\sapssls.pse
3.5
In Server.PSE import the root certificate of the end user client certificate (in case of SAP Cloud for Customer
this is SAPPassport CA)
Link for download:
http://service.sap.com/tcs
Click on Download area and then Root certificates
Upload the SAP Passport CA into Server PSE
Command: sapgenpse maintain_pk.
Within Client.PSE import the root certificate of Web AS server certificate. This is project specific and depends
what CA the customer will be using for signing the On Premise Server Certificate.
Command: sapgenpse maintain_pk
How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration
3.6
wdisp/ping_protocol = https
wdisp/group_info_protocol = https
wdisp/url_map_protocol = https
wdisp/ssl_encrypt = 1
#settings for client certificate handling
icm/HTTPS/verify_client = 1
icm/HTTPS/forward_ccert_as_header = true
wdisp/ssl_auth = 1
#authentication handler
icm/HTTP/auth_0 = PREFIX=/,PERMFILE=D:\..\sec\perm.txt
#don't show error messages:
is/HTTP/show_detailed_errors
3.7
= false
For client certificate logon you have to set following ICM parameters:
icm/HTTPS/verify_client
= 1
icm/HTTPS/trust_client_with_issuer = CN = mywebdisp.customerdomain, OU =
customer, O = customer, C = EN
icm/HTTPS/trust_client_with_subject = CN = mywebdisp.customerdomain, OU =
customer, O = customer, C = EN
In case the connection from SAP Web Dispatcher to Backend ICM is only http you have to add an additional
parameter:
icm/accept_forwarded_cert_via_http = TRUE
(However this is not recommended, since the client certificate is then send unencrypted)
Within STRUST:
In order to trust the WD Client Certificate in Web AS - go to PSE Server Standard and import the file
wdservercert.cer save it.
3.8
In order to trust the WD as server the file wdservercert.cer has to be uploaded into SAP Cloud for Customers
certificate trust list. Save your settings.
3.9
Configure an IP filter
How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration
3.11
icm/HTTPS/verify_client = 2
note that the WD now enforces the client to provide a client certificate! Any call without client certificate, or
even with client certificate but not issued by SAPPassport CA will be rejected from now on.
Java
How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration
2)
ABAP
1.
Click Continue
How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration
2.
3.
Click Close
4.
The communication channel CRM_Idod_Receive can be re-used for all the connection from SAP Cloud
for Customer to SAP CRM on-premise and does not have to be re-created, Select the value using the
input help button in the receiver communication channel.
How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration
5.
6.
This connection is configured with the communication channels created. Click in the Next Connection
arrow to configure the Next Connection.
7.
Repeat the previous steps for the other connections within the scenario.
How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration
10
www.sap.com/contactsap
www.sdn.sap.com/irj/sdn/howtoguides