How-To Guide

SAP Cloud for Customer

Document Version: 1.0 - 2014-03-31

How to Set Up SAP Web Dispatcher for Two Way

SSL between SAP Cloud for Customer and SAP
NetWeaver Application Server in 30 Minutes

Document History
Document Version

Description

j1.0

First official release of this guide

How to Configure Integration between SAP CRM and SAP Cloud for Customers using SAP PI
Document History

2014 SAP AG or an SAP affiliate company. All rights reserved.

Table of Contents
How to Set Up SAP Web Dispatcher for Two Way SSL between SAP Cloud for Customer and SAP
NetWeaver Application Server in 30 Minutes........................................................................................ 1
1

Business Scenario .................................................................................................................................. 3

Prerequisites .......................................................................................................................................... 3

Step-by-Step Procedure for SSL Configuration ................................................................................... 4

3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15

Change port settings in WD ........................................................................................................... 5

Creating the Server Certificate ...................................................................................................... 5
Copy the Sever PSE to Client PSE ................................................................................................. 5
Export the Server Certificate ......................................................................................................... 5
Import necessary root certificates ................................................................................................ 5
Complete the WD profile ................................................................................................................ 6
ICM and STRUST settings on Web AS .......................................................................................... 6
Update the SAP Cloud for Customer trust list ............................................................................. 6
Configure an IP filter ....................................................................................................................... 6
Configure URL filter ........................................................................................................................ 7
Allow authentication only via client certificate (optional but very secure) ................................ 7
Switch on http logging .................................................................................................................... 7
Restart the Web Dispatcher and Test your scenario ................................................................... 7
Visual Summary .............................................................................................................................. 7
User Mapping .................................................................................................................................. 7

1 Business Scenario
This guide will show how easy it is to setup the SAP Web Dispatcher for the SAP cloud to On Premise
integration. The SSL configuration will be based on self-signed certificates. Security wise this is acceptable as
long as the Web Dispatcher is used only for Server to Server communication. For browser based scenarios this
setup cant be used since the self-signed certificates will not be trusted from the Browsers security
environment. One major security risk commonly related with self-signed Certificates is that Certificate
Revocation (CRL) is not supported. If this will have an impact or not, should be analyzed case by case.

2 Prerequisites
The prerequisite of this guide is that the Web Dispatcher is already installed on a server, containing the initial
profile. It is necessary that you have the necessary root certificates as .cer files available during this setup. For
the necessary commands we will provide only relative paths ( e.g. /../sapgenpse) since the absolute path
depends on the installation parameters. We are assuming that the full qualified domain name (fqdn) of your
installation is mywebdisp.customerdomain so you have to replace it by the appropriate values

How to Configure Integration between SAP CRM and SAP Cloud for Customers using SAP PI
Table of Contents

2014 SAP AG or an SAP affiliate company. All rights reserved.

3 Step-by-Step Procedure for SSL

Configuration
The following steps walk you through the SSL configuration.

How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration

2014 SAP AG or an SAP affiliate company. All rights reserved.

3.1

Change port settings in WD

https port should be 443, deactivate all http ports for your fqdn

icm/server_port_0 = PROT=HTTP,HOST=localhost,PORT=81$$
icm/server_port_1 = PROT=HTTPS,HOST=mywebdisp.customerdomain,PORT=443,
ACLFILE = D:\..\sec\acl.txt
icm/HTTP/admin_0 =
PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/auth
file),PORT=81$$;443

3.2

Creating the Server Certificate

Create the Web Dispatcher server PSE together with its own server certificate. Open the command prompt in
administrator mode and enter the command.
/../sapgenpse gen_pse -p D:\usr\sap\wdd\w00\sec\sapssls.pse

Tip: if you need more information about the Syntax: you can enter on any level h and you will receive the help
to the specific command. (example sapgenpse gen_pse h)
If prompted enter:
CN = mywebdisp.customerdomain, OU = customer, O = customer, C = EN
Note: replace customer by the organization owning the WD (e.g. the name of the customer) and replace
mywebdisp.customerdomain by the fqdn of your installation.

3.3

Copy the Sever PSE to Client PSE

In the file system copy the file Server.PSE and rename the copy to Client.PSE. Server and Client PSE will now
both contain the same certificate!

3.4

Export the Server Certificate

Export the server certificate via sapgenpse paste it to notepad and store it on your computer with filename
wdservercert.cer
/../sapgenpse export_own_cert -p d:\usr\sap\wdd\w00\sec\sapssls.pse

3.5

Import necessary root certificates

In Server.PSE import the root certificate of the end user client certificate (in case of SAP Cloud for Customer
this is SAPPassport CA)
Link for download:
http://service.sap.com/tcs
Click on Download area and then Root certificates
Upload the SAP Passport CA into Server PSE
Command: sapgenpse maintain_pk.
Within Client.PSE import the root certificate of Web AS server certificate. This is project specific and depends
what CA the customer will be using for signing the On Premise Server Certificate.
Command: sapgenpse maintain_pk

How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration

2014 SAP AG or an SAP affiliate company. All rights reserved.

3.6

Complete the WD profile

Enter the following parameters in the Web Dispatcher profile

#general setting for https protocol

wdisp/ping_protocol = https
wdisp/group_info_protocol = https
wdisp/url_map_protocol = https
wdisp/ssl_encrypt = 1
#settings for client certificate handling

icm/HTTPS/verify_client = 1
icm/HTTPS/forward_ccert_as_header = true
wdisp/ssl_auth = 1
#authentication handler

icm/HTTP/auth_0 = PREFIX=/,PERMFILE=D:\..\sec\perm.txt
#don't show error messages:

is/HTTP/show_detailed_errors

3.7

= false

ICM and STRUST settings on Web AS

For client certificate logon you have to set following ICM parameters:

icm/HTTPS/verify_client
= 1
icm/HTTPS/trust_client_with_issuer = CN = mywebdisp.customerdomain, OU =
customer, O = customer, C = EN
icm/HTTPS/trust_client_with_subject = CN = mywebdisp.customerdomain, OU =
customer, O = customer, C = EN
In case the connection from SAP Web Dispatcher to Backend ICM is only http you have to add an additional
parameter:

icm/accept_forwarded_cert_via_http = TRUE
(However this is not recommended, since the client certificate is then send unencrypted)
Within STRUST:
In order to trust the WD Client Certificate in Web AS - go to PSE Server Standard and import the file
wdservercert.cer save it.

3.8

Update the SAP Cloud for Customer trust list

In order to trust the WD as server the file wdservercert.cer has to be uploaded into SAP Cloud for Customers
certificate trust list. Save your settings.

3.9

Configure an IP filter

Within folder /sec create a notepad file with filename acl.txt

Enter the IP Range of SAP Cloud for Customer Proxies and save the file.
For Tenant located in Emea: 155.56.208.64/28
For Tenant located in US: 169.145.9.64/26

How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration

2014 SAP AG or an SAP affiliate company. All rights reserved.

3.10 Configure URL filter

Within folder /sec create a notepad file with filename perm.txt
Enter a white list containing all URLs which the WD shall allow to go through.
P:
Deny all others:
D:

3.11

Allow authentication only via client certificate (optional

but very secure)

Modify the parameter to:

icm/HTTPS/verify_client = 2
note that the WD now enforces the client to provide a client certificate! Any call without client certificate, or
even with client certificate but not issued by SAPPassport CA will be rejected from now on.

3.12 Switch on http logging

Add the following parameter to your profile:

icm/HTTP/logging_0 = PREFIX=/, LOGFILE=http.log, MAXSIZEKB=10000,

SWITCHTF=day, LOGFORMAT=SAP

3.13 Restart the Web Dispatcher and Test your scenario

Do a first test of your scenario not before all steps above are finished it will not work in any intermediate
state but it will work now!

3.14 Visual Summary

In this diagram CfC is SAP Cloud for Customer.

3.15 User Mapping

For user authentication via Client Certificate we have to distinguish if ICM of the Backend is forwarding the call
to ABAP or to JAVA.
1)

Java

How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration

2014 SAP AG or an SAP affiliate company. All rights reserved.

In case of ICM backend is Dual Stack or Java Only NW PI:

The SOAP Adapter has to be configured in order to support client cert login:

Secondly the M-User Certificate has to be mapped within UME:

2)

ABAP

We have to create a new entry in SM30-> View VUSREXTID

Import the Certificate used for authentication. This will be the m-user certificate issued by SAPPassport CA in
case SAP Cloud for Customer is the client and it will the HCI Client Certificate issued by Verisign in case HCI is
the client.
Upload this certificate and map it to a backend user with appropriate rights.

1.

Click Continue

How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration

2014 SAP AG or an SAP affiliate company. All rights reserved.

2.

Verify the name of the communication channel and click Finish.

3.

Click Close

4.

The communication channel CRM_Idod_Receive can be re-used for all the connection from SAP Cloud
for Customer to SAP CRM on-premise and does not have to be re-created, Select the value using the
input help button in the receiver communication channel.

How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration

2014 SAP AG or an SAP affiliate company. All rights reserved.

5.

Select the existing communication channel and click Apply.

6.

This connection is configured with the communication channels created. Click in the Next Connection
arrow to configure the Next Connection.

7.

Repeat the previous steps for the other connections within the scenario.

How-to Configure SAP Web Dispatcher for Two-Way SSL Communication in 30 Minutes
Step-by-Step Procedure for SSL Configuration

2014 SAP AG or an SAP affiliate company. All rights reserved.

10

www.sap.com/contactsap

www.sdn.sap.com/irj/sdn/howtoguides

2014 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in
any form or for any purpose without the express permission of SAP
AG. The information contained herein may be changed without
prior notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The
only warranties for SAP Group products and services are those
that are set forth in the express warranty statements
accompanying such
products and services, if any. Nothing herein should be construed
as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.