Configuring Communication Channels

Objectives

After completing this lesson, you will be able to:
  • Install SAP Web Dispatcher
  • Configure HTTPS communication
  • Enable Single Sign-On

SAP Web Dispatcher Installation

Scenario

SAP Web Dispatcher is a Standalone Engine and a recommended component of an SAP Fiori system landscape. All HTTP(S) requests from the end users are targeting SAP Web Dispatcher, which acts as a reverse proxy and distributes the requests to suitable application server instances of an AS ABAP-based SAP system.

Installation

SAP Web Dispatcher offers a variety of installation options. In the context of this course, you will use the Software Provisioning Manger (SWPM) 2.0 to install an SAP Web Dispatcher 7.93.

Configuration Area of SAP Web Dispatcher

SAP Web Dispatcher is backwards compatible. This means that the SAP Web Dispatcher release can be higher or the same as the SAP system (kernel) release. The patch level can also differ from the patch level of the back-end system.

SAP Note 908097 lists the allowed combinations of SAP Web Dispatcher releases and SAP system releases.

Information on SAP Web Dispatcher – Recommended Release

Running SWPM / SAPinst

The tools for installing and updating SAP products are delivered with the Software Logistics Toolset (SL Toolset), which is updated several times a year, so you get the latest improvements and updates in time. In this manner, the SL Toolset delivers software logistics tool improvements on a continuous basis, independent from the SAP application product shipments. The SL Toolset is delivered in Support Package Stacks.

Software Provisioning Manager (SWPM) provides the latest SAPinst version with software provisioning services for several products and releases for all platforms, enabling you to profit directly from up-to-date procedures powered by a reliable tool available and used for years.

Meanwhile, two versions of Software Provisioning Manager are available:

  • Software Provisioning Manager 1.0
  • Software Provisioning Manager 2.0

Both versions can be used to install SAP Web Dispatcher.

In case you explicitly want to install the non-Unicode version of SAP Web Dispatcher, you have to use Software Provisioning Manager 1.0.

Preparation: Download the Latest SP of SWPM

To download the latest SWPM 2.0, open https://support.sap.com/sltoolset and navigate to System ProvisioningDownload Software Provisioning ManagerSoftware Provisioning Mgr. 2.0Support Package Patches<Platform>. For more information about SWPM, see https://help.sap.com/docs/SUPPORT_CONTENT/sl/3362916978.html.

The SWPM-based installation of SAP Web Dispatcher requires the following SAP archives (.SAR files):

  • SAP Web Dispatcher

  • SAP Host Agent

Preparation: Download SAP Web Dispatcher Archive

To download the latest SAP Web Dispatcher archive, open https://me.sap.com/softwarecenter and navigate to Support Packages & PatchesBy CategorySAP Technology ComponentsSAP Web DispatcherSAP Web Dispatcher <Release><Platform>.

Preparation: Download SAP Host Agent Archive

To download the latest SAP Host Agent archive, open https://me.sap.com/softwarecenter and navigate to Support Packages & PatchesBy CategorySAP Technology ComponentsSAP Host AgentSAP Host Agent <Release><Platform>.

Screenshot showing you how to start SWPM

The sapinst executable can be launched with many command line options. To see all of them, enter sapinst -p.

The option to install an SAP Web Dispatcher is located at Generic OptionsSAP Web DispatcherSAP Web Dispatcher (Unicode) (the path may vary, depending on the SWPM release).

Graphic illustrates Input in Dialog Phase (Mode=Typical)

SWPM offers two options for Parameter Mode, Typical or Custom. The figure lists dialogs of SWPM when being executed in Parameter Mode = Typical.

To access the installations guides for SAP Web Dispatcher, open the Guide Finder for SAP NetWeaver and ABAP Platform at https://help.sap.com/viewer/nwguidefinder and search for dispatcher (field Search entire table). Note the proper operating systems and SWPM version.

Software Update

If you want to update your SAP Web Dispatcher installation, download the SAP Web Dispatcher archive (for the proper operating system and major release) at https://me.sap.com/softwarecenter, path Support Packages & PatchesBy CategorySAP Technology ComponentsSAP Web DispatcherSAP Web Dispatcher <Release><Platform>. Unpack that file (by executing sapcar -xvf <sapwebdisp.sar file>) to the proper directory and (re)start SAP Web Dispatcher. Continue as described in SAP Note 908097 (the procedure is similar to a kernel update).

Hint

You can determine the current version of your SAP Web Dispatcher installation as follows:

  • By executing sapwebdisp -v

  • By analyzing the most recent developer trace file (by default, dev_webdisp)

  • By launching the "Version Info" dialog in SAP MC or SAP MMC

  • By navigating to Core SystemRelease Information within the Web Administration UI of SAP Web Dispatcher

Install SAP Web Dispatcher

Business Example

Your company is planning to use SAP Fiori apps. To provide a unique URL for end-users to access SAP S/4HANA services in a secure way, you will install an SAP Web Dispatcher 7.93. Due to the expected load and as a fail-safe, you are planning to use multiple application server instances.

Note

In this exercise, when an object name or value contains ##, replace ## with the number your trainer assigned to you.

Task 1: Preparing the Installation

Steps

  1. Using an SSH connection in MobaXterm, log on to the operating system of your feature server. Use the virtual hostname fs<q|p>host.wdf.sap.corp and the operating system user install.

    1. On the WTS, launch the application MobaXterm.

    2. Within the MobaXterm main window, choose Session.

    3. In the Connection settings dialog, choose SSH.

    4. Enter the following:

      Remote host

      Q team: fsqhost.wdf.sap.corp

      P team: fsphost.wdf.sap.corp

      Specify usernameselect this option
      field right to Specify usernameinstall

    5. Keep all other settings unchanged and choose OK.

      In case of a Connexion to... dialog, select Do not show this message again and choose Accept.

      Screenshot from system to illustrate sub-step

    6. Enter the password of the user install. Your instructor will provide details.

      Hint

      There is no visual feedback while you are typing the password. After you entered the correct password, MobaXterm may ask if you want to store the password permanently. If you want to, you have to provide an arbitrary master password for MobaXterm (two times).

  2. Copy the latest SAP Web Dispatcher and SAP Host Agent archives offered on the training share below /kpstransfer/Maintenance/fsXhost/SAP_Web_Dispatcher to /install/SAPWebDisp##.

    1. You are still in the SSH session, logged on at the operating system level of your feature server.

    2. To create the target folder, enter mkdir -p /install/SAPWebDisp##.

      Note

      Remember to replace ## with the number your trainer assigned to you. All commands are case-sensitive.

    3. To copy the latest SAP Web Dispatcher archive, enter cp /kpstransfer/Maintenance/fsXhost/SAP_Web_Dispatcher/SAP_Web_Dispatcher_7.93/SAPWEBDISP_SP_<PL>-80008274.SAR /install/SAPWebDisp##/.

      Note

      Replace <PL> with the latest patch level offered. You can use the Tabulator key to complete your input (in case of unique path or file names).

    4. To copy the latest SAP Host Agent archive, enter cp /kpstransfer/Maintenance/fsXhost/SAP_Web_Dispatcher/SAP_Host_Agent_7.22/SAPHOSTAGENT<PL>_<PL>-80004822.SAR /install/SAPWebDisp##/.

      Note

      Replace <PL> with the latest patch level offered. You can use the Tabulator key to complete your input (in case of unique path or file names).
      Screenshot from system to illustrate sub-step

  3. Extract the latest SWPM 2.0 archive offered on the training share at /kpstransfer/Maintenance/fsXhost/SAP_Web_Dispatcher/SWPM_2.0 to /install/SWPM##.

    1. You are still in the SSH session, logged on at the operating system level of your feature server.

    2. To create the target folder, enter mkdir -p /install/SWPM##.

    3. To change to this target folder, enter cd /install/SWPM##.

    4. To extract the latest SWPM 2.0 archive to the current folder, enter SAPCAR -xf /kpstransfer/Maintenance/fsXhost/SAP_Web_Dispatcher/SWPM_2.0/SWPM20SP<PL>_0-80003424.SAR.

      Note

      Replace <PL> with the latest patch level offered. You can use the Tabulator key to complete your input (in case of unique path or file names).
      Screenshot from system to illustrate sub-step

    5. Keep the MobaXterm SSH session open.

  4. Determine the real hostname using the hostname command.

    1. You are still in the SSH session, logged on at the operating system level of your feature server.

    2. To get the real hostname, enter hostname.

    3. Result: The real hostnames are as follows:

      • Q team: wdflbmt0104

      • P team: wdflbmt0107

      Screenshot from system to illustrate sub-step

  5. Launch the sapinst executable of your SWPM 2.0 using the following command line:

    ./sapinst SAPINST_USE_HOSTNAME=fs*host

    (where * stands for q or p, depending on your system allocation).

    1. You are still in the SSH session, logged on at the operating system level of your feature server.

    2. Ensure that you are in folder /install/SWPM##.

    3. To start the SWPM, enter the following command:

      • Q team: ./sapinst SAPINST_USE_HOSTNAME=fsqhost

      • P team: ./sapinst SAPINST_USE_HOSTNAME=fsphost

      Caution

      Make sure to enter SAPINST_USE_HOSTNAME using uppercase letters and the hostname in lowercase letters.
      Screenshot from system to illustrate sub-step

    4. Keep the MobaXterm SSH session open.

  6. Logon to the SWPM 2.0 using the following URL

    https://fs*host.wdf.sap.corp:4237/sapinst/docs/index.html

    and provide the credentials of the install user.

    1. On the WTS, start a web browser of your choice.

    2. Launch the following URL:

      • Q team: https://fsqhost.wdf.sap.corp:4237/sapinst/docs/index.html

      • P team: https://fsphost.wdf.sap.corp:4237/sapinst/docs/index.html

      In case that you receive a browser message regarding a certificate error, ignore that message and proceed to the given URL.

      Screenshot from system to illustrate sub-step

    3. To start the SAP Software Provisioning Manager UI, enter the credentials of the operating system user, which is install. Your instructor will provide details.

      Screenshot from system to illustrate sub-step

Task 2: Performing the Installation

Steps

  1. Perform an SAP Web Dispatcher installation using the following settings:

    FieldQ TeamP Team
    Parameter ModeTypical
    SAP System ID (SAPSID)WDQWDP
    SAP Mount Directorykeep /sapmnt
    Master PasswordSAPWebDisp##
    Package Path/install/SAPWebDisp##
    Message Server Hosts4qhost.wdf.sap.corps4phost.wdf.sap.corp
    SAP Back-End System IDS4QS4P
    Message Server HTTP Port81208130
    Cleanup of Operating System Usersdo not select this option
    Instance Number2030
    HTTPS Port4432044330

    1. In the Software Provisioning Manager browser window, select Generic OptionsSAP Web DispatcherSAP Web Dispatcher (Unicode) and choose Next.

      Screenshot from system to illustrate sub-step

    2. In the Parameter Mode field, choose Typical and then Next.

    3. In the SAP System ID (SAPSID) field, enter the following:

      • Q team: WDQ

      • P team: WDP

      (as in the table above). Do not change the suggested value for SAP Mount Directory. When done, choose Next.

    4. In the Master Password field(s), enter SAPWebDisp## (twice) and choose Next.

    5. On the Software Package Browser (for SAP Web Dispatcher) screen, use the F4 value help of the field Package Path to provide the proper location for the SAP Web Dispatcher and SAP Host Agent SAR files. In the Package Path screen, mark the folder /install/SAPWebDisp## and choose OK. When done, choose Next.

    6. On the next screen, verify that the Status (in the table) changed to Available, then choose Next.

    7. On the Software Package Browser (for SAP Host Agent) screen, verify that the Status (in the table) is Available, then choose Next.

    8. On the Connecting SAP Web Dispatcher to a Message Server screen, enter the following:

      Message Server Host

      Q team: s4qhost.wdf.sap.corp

      P team: s4phost.wdf.sap.corp

      SAP Back-End System ID

      Q team: S4Q

      P team: S4P

      Message Server HTTP Port

      Q team: 8120

      P team: 8130

      When done, choose Next.

    9. On the Cleanup of Operating System Users screen, choose Next.

    10. On the Parameter Summary screen, choose Show Details (at the bottom).

    11. Select the sections

      • SAP Web Dispatcher Instance
      • SAP Web Dispatcher Parameters
      (you may have to scroll down) and choose Revise (at the bottom).

    12. On the SAP Web Dispatcher Instance screen, at the Instance Number field, enter the following:

      • Q team: 20

      • P team: 30

      Keep all other settings unchanged and choose Next.

    13. On the SAP Web Dispatcher Parameters screen, at the HTTPS Port field, enter the following:

      • Q team: 44320

      • P team: 44330

      Keep all other settings unchanged and choose Next.

    14. On the Parameter Summary screen, note all parameters. When you are fine with all settings, choose Next. This will start the installation.

      Note

      The installation runtime is about 5 minutes.

    15. On the final confirmation screen Service Completed, choose Ok.

    16. Close the Feedback to SAP popup (without providing any feedback).

    17. Choose Exit. This will stop the SWPM/SAPinst server.

    18. Close the browser which was used for the installation.

Result

You have installed an SAP Web Dispatcher using SWPM/SAPinst.

SAP Web Dispatcher in SSL Server Role

To set up the communication channel between clients and SAP Web Dispatcher, configure SAP Web Dispatcher to support SSL and configure the SAP Web Dispatcher server port.

Use Cases of SAP Web Dispatcher and SSL

The first connection type shown in the figure does not use SSL at all. Therefore, you only need to set the port to HTTP. No extra configuration is needed.

For the second connection type, the request is terminated at SAP Web Dispatcher. The incoming connection uses HTTP and the outgoing connection uses HTTPS. Therefore, you must configure SAP Web Dispatcher as an SSL client.

For the third connection type, the request is terminated at SAP Web Dispatcher. The incoming connection uses HTTPS and the outgoing connection uses HTTP. Therefore, you must configure SAP Web Dispatcher as an SSL server.

For the fourth connection type, the request is terminated at SAP Web Dispatcher. Both the incoming connection and the outgoing connection use HTTPS. Therefore, you must configure SAP Web Dispatcher as an SSL server and an SSL client.

Graphic outlines the SAP Web Dispatcher in the SSL Server Role

We will now consider how to configure SAP Web Dispatcher in an SSL server role.

Tools of SAP Web Dispatcher and SSL

We recommend that you use the Web Admin UI of SAP Web Dispatcher to configure SSL support.

As a high-level overview, these are the required steps to configure SAP Web Dispatcher for SSL when the connection is terminated and SSL is used:

  1. Create the SAP Web Dispatcher's Personal Security Environments (PSE(s)) and certificate request(s). Create an SSL server PSE if the incoming connections use SSL. Create an SSL client PSE if the outgoing connections use SSL. Create both if both connections use SSL.

    To create an SSL server PSE with Subject Alternative Name (SAN), refer to SAP Note 2502649Creating certificates with Subject Alternative Name (SAN) through the Web Admin page.

  2. Perform the following steps for each of the PSEs that you created in the previous step:

    1. Send the certificate request(s) to a CA to be signed.

    2. Import the certificate request response(s) into the PSE.

    3. Create credentials for SAP Web Dispatcher.

  3. For SSL outbound connections, import a CA root certificate into the SSL client PSE of SAP Web Dispatcher. Use the same CA root certificate for the CA that issued the SSL server certificate to the AS ABAP application server.

  4. Set the profile parameters according to the case you are using.

  5. Restart SAP Web Dispatcher.

  6. Test the connection.

For details, see the online documentation for SAP NetWeaver resp. ABAP Platform.

Enable HTTPS between the Web Browser and SAP Web Dispatcher

Business Example

In this exercise, you will learn about the required settings for SSL support of SAP Web Dispatcher.

Note

In this exercise, when an object name or value contains ##, replace ## with the number your trainer assigned to you.

Task 1: Launch the Web Admin UI of SAP Web Dispatcher

Steps

  1. Open and log on to the Web Admin UI of your SAP Web Dispatcher (at WTS level).

    1. Make sure that you are on WTS level.

    2. Open a web browser of your choice.

    3. Enter the following URL: https://<full qualified SAP Web Dispatcher hostname>:443$$/sap/wdisp/admin where $$ is the SAP Web Dispatcher instance number.

      Note

      You may also use the browser favorite/bookmark prepared at the following:
      • Q team: 20 Quality Assurancefsqhost20 WDQ SAP Web Dispatcher Administration
      • P team: 30 Productionfsphost30 WDP SAP Web Dispatcher Administration

    4. In case of a certificate-related security warning, ignore it and proceed.

    5. At the SAP Web Dispatcher logon screen, provide the following: Usernamewebadm, and your master Password (which should be SAPWebDisp##).

      SAP Web Dispatcher logon screen

Result

You are logged on to the Web Admin UI of SAP Web Dispatcher with an administrative user.

Task 2: Create and Sign a Key Pair for SSL — Server

Steps

  1. Open the SAP Web Dispatcher server PSE (view SAPSSLS.pse). Recreate this PSE using the following Distinguished Name:

    • Q team: DNS=wdflbmt0104.wdf.sap.corp, CN=fsqhost.wdf.sap.corp
    • P team: DNS=wdflbmt0107.wdf.sap.corp, CN=fsphost.wdf.sap.corp
    The value of DNS will be propagated to Subject Alternative Name, which many web browsers require.

    1. Within the Web Admin UI, navigate to SSL and Trust ConfigurationPSE Management.

    2. Ensure that at Manage PSE, the option SAPSSLS.pse is selected.

    3. Choose Recreate PSE.

    4. As Distinguished Name, enter the following:

      • Q team: DNS=wdflbmt0104.wdf.sap.corp, CN=fsqhost.wdf.sap.corp
      • P team: DNS=wdflbmt0107.wdf.sap.corp, CN=fsphost.wdf.sap.corp

    5. Keep all other settings unchanged and choose Create.

      Unchanged settings and choosing Create

    6. To ensure that the changed certificate is being used for your connection, complete the following five steps:

      1. Log off from the Web Admin UI (note the Logout icon at the top right).
      2. Close your browser window.
      3. Start the web browser again.
      4. Launch the Web Admin UI.
      5. Log on to the Web Admin UI (using the webadm user).

  2. Create a CA request, sign it using the SAP Secure Login Server hosted on the SMJ system and import the response.

    Here are some hints on the SAP Secure Login Server acting as CA in this training:

    • SAP Secure Login Administration Console (SLAC) URL: https://smhost.wdf.sap.corp:59101/slac
    • Path Certificate ManagementSign certificate requests
    • Certificate Template: SSL Server Template
    • Issuer: SAP Training SSL Sub CA
    • Certificate Response Type: PKCS#7

    1. Within the Web Admin UI, navigate to SSL and Trust ConfigurationPSE Management.

    2. Ensure that at Manage PSE the option SAPSSLS.pse is selected.

    3. Choose Create CA Request.

    4. Select the complete CA Request (including the lines with the ----- signs) and save it in your clipboard.

      Complete CA Request selected and saved to clipboard

    5. To launch the Secure Login Administration Console (SLAC), open the following URL https://smhost.wdf.sap.corp:59101/slac in a new web browser window or tab.

      Note

      You may also use the browser favorite/bookmark prepared at 80 Application Lifecycle Managementsmhost90 SMJ Secure Login Administration Console.

    6. When asked for credentials, provide the logon data of your train-## user (in client 100 of system SMA, to which the UME of system SMJ is connected).

    7. In case the password of your train-## user in client 100 of system SMA is still initial, you have to provide a new password that meets the following requirements:

      Code Snippet
      1234
      login/min_password_lng = 10
login/min_password_lowercase = 1
login/min_password_uppercase = 1
login/min_password_digits = 1

    8. Within the SLAC, navigate to Certificate ManagementSign certificate requests.

    9. Paste the CA Request (contents of your clipboard) into the Encoded Certificate Request field.

    10. Choose Show Certificate Request.

    11. Adjust the following settings:

      • End Validity: increase the suggested value (for example to one year from today)

      • Certificate Template: choose SSL Server Template

      • Issuer: choose SAP Training SSL Sub CA

      • Certificate Response Type: choose PKCS#7

      Screenshot of Secure Login Administration Console

    12. When you are done, choose Sign Certificate.

    13. Select the complete CA Response (including the lines with the ----- signs) and save it in your clipboard.

      Hint

      In case of issues, you may also Download the certificate response to a file.

    14. In the PSE Management / SAPSSLS view of the SAP Web Dispatcher Web Admin UI, choose Import CA Response into PSE SAPSSLS.pse.

    15. Paste the complete CA Response into the Import CA Response field (in the Web Admin UI of SAP Web Dispatcher) and choose Import.

      Complete CA Response pasted into Import CA Response field and Import selected

    16. Note that the value of Issuer changed to CN=Secure Login SSL CA, O=SAP Training, C=DE.

    17. Note the value of SubjectAltName.

    18. Log off from the Web Admin UI (note the Logout icon at the top right).

Task 3: Verify the Configuration

Steps

  1. On the WTS, open and log on to the Web Admin UI of SAP Web Dispatcher and note the SSL status.

    1. On the WTS, close all web browser windows.

    2. On the WTS, start a web browser of your choice.

    3. Enter the following URL: https://<full qualified SAP Web Dispatcher host name>:<SAP Web Dispatcher HTTPS Port>/sap/wdisp/admin.

    4. When asked for credentials, provide the following: user webadm, and your master password (which should be SAPWebDisp##).

    5. Note the SSL status in the web browser – no warnings should be reported.

      No warnings about the SSL certificate display because the web browsers on the WTS trust the issuing Certification Authority (CN = Secure Login SSL CA, O = SAP Training, C = DE).Screenshot from system to illustrate sub-step

SAP Web Dispatcher in SSL Client Role

Graphical outline of SAP Web Dispatcher in SSL Client Role

If SAP Web Dispatcher also uses SSL for the connection to the AS ABAP system (re-encryption), then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE.

Trust with AS ABAP – Based on a Common Certification Authority (CA)

You have different options to establish a trust between SAP Web Dispatcher and an AS ABAP system. One approach is that you export the SSL server certificate from the AS ABAP system and import it to the SAP Web Dispatcher client PSE. However, a more convenient approach is that you have a common Certification Authority (CA) in place.

  • Use this CA to sign the SSL server certificate of AS ABAP (transaction STRUST).

  • Import the root certificate of the same CA into the SAP Web Dispatcher client PSE.

As of SAP Web Dispatcher 7.53, you can establish the trust with an AS ABAP-based back-end system completely in the Web Admin UI (a separate download of the respective certificate is not necessary anymore). To do so, use the feature in the Web Admin UI available at <SID of SAP system>Monitor Application Servers<application server menu (column Name)>Establish Trust. Here you can choose the certificate to establish the trust (Root Certificate, Issuer Certificate(s) or Peer Certificate).

Additional information

For details of the configuration, refer to the SAP Web Dispatcher SSL Trust Configuration document that is available at https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959216.html.

Enable HTTPS between SAP Web Dispatcher and the SAP System

Note

In this exercise, when an object name or a value contains ##, replace ## with the number your trainer assigned to you.

Task 1: Check the Communication Between SAP Web Dispatcher and the SAP System

Steps

  1. Open and log on to the Web Admin UI of your SAP Web Dispatcher.

    1. On the WTS, start a web browser of your choice.

    2. Enter the URL of the Web Admin UI of your SAP Web Dispatcher (https://<fully qualified SAP Web Dispatcher hostname>:443$$/sap/wdisp/admin).

      Note

      You may also use the browser favorite/bookmark prepared at the following:
      • Q team: 20 Quality Assurancefsqhost20 WDQ SAP Web Dispatcher Administration
      • P team: 30 Productionfsphost30 WDP SAP Web Dispatcher Administration

    3. At the SAP Web Dispatcher logon screen, provide the following: Usernamewebadm, and your master Password (which should be SAPWebDisp##).

  2. Open the Application Server Monitor within the SAP Web Dispatcher Web Admin UI and note the HTTPS validity.

    1. Within the Web Admin UI of your SAP Web Dispatcher, navigate to <SID of your SAP system>Monitor Application Servers. The Application Server Monitor opens.

    2. Note the column Valid (HTTPS). The tool-tip of the warning (triangle icon) is Server is not reachable - in this case due to missing configuration steps.

      Screenshot of Valid (HTTPS) column in the system

Task 2: Import the SAP Secure Login Server Root Certificate into the SAP Web Dispatcher Client PSE

Steps

  1. Determine the signer of the SSL server certificates used by the ICM processes of your SAP S/4HANA system.

    1. Log on to your SAP system using the train-## user.

    2. Start transaction STRUST.

    3. Navigate to SSL server StandardSystem-wide.

    4. Double-click any of the instances.

    5. Note the Issuer Certificates section in the area Own Certificate.

      Trust Manager: Display

    6. Do not change anything here – this is just for your reference.

    Result

    The SAP Secure Login Server also signed the SSL server certificate used by the ICM processes of your SAP S/4HANA system.

  2. Import the SAP Secure Login Server Root Certificate into the SAP Web Dispatcher Client PSE.

    1. Within the Web Admin UI of your SAP Web Dispatcher, navigate to <SID of your SAP system>Monitor Application Servers. The Application Server Monitor opens.

    2. Note the Name column that shows the application server instances of your SAP system.

    3. Select the Host Menu for any of the instances (by selecting them), and choose Establish Trust.

      Establish Trust option

    4. In the line for certificate type Root Certificate, choose Import Certificate into SAPSSLC.pse (on the right, in the column Actions).

      Choosing Import Certificate into SAPSSLC.pse

    5. Choose Import.

      Choosing ImportImported Certificate into PK List of PSE SAPSSLC.pse

Result

You have imported the SAP Secure Login Server Root Certificate into the SAP Web Dispatcher Client PSE.

Task 3: Verify the Configuration

Steps

  1. Repeat the first part of this exercise (Check the Communication between SAP Web Dispatcher and the SAP System).

    1. Within the Web Admin UI of your SAP Web Dispatcher, navigate to <SID of your SAP system>Monitor Application Servers. This opens the Application Server Monitor.

    2. Note the Valid (HTTPS) column. No warnings should be displayed.

      The Valid (HTTPS) column

  2. On the WTS, open the ICF service /sap/public/info:

    • Using a web browser on the WTS

    • In your SAP S/4HANA system

    • Using your SAP Web Dispatcher

    1. On the WTS, open a web browser.

    2. Enter the following URL: https://<full qualified SAP Web Dispatcher hostname>:<SAP Web Dispatcher HTTPS Port>/sap/public/info.

      Screenshot of system to illustrate the sub-stepIn case of repeated refreshes, you should notice that the requests are distributed to the PAS and AAS instance of the SAP system (note the value of RFCDEST).

SSO Mechanisms

User Authentication and Single Sign-On (SSO)

The authentication concept for SAP Fiori apps comprises of initial user authentication on the ABAP front-end server, followed by authentication of all requests to back-end systems.

Initial Authentication

When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During the launch, the ABAP front-end server authenticates the user by using one of the supported authentication and single sign-on (SSO) mechanisms. We recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their single, existing credentials. As a fallback option, initial authentication can be based on the users' passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.

Authentication for Requests in the Back-End Systems

After initial authentication, a security session is established between the client and the ABAP front-end server. Transactional apps can then send OData requests through the ABAP front-end server towards the ABAP back-end server. OData requests towards the ABAP back-end server are then communicated securely by trusted RFC and no additional authentication is required.

For search in SAP Fiori launchpad, applications send InA search requests from the client to the SAP HANA database. These requests can be authenticated with Kerberos/SPNego, X.509 client certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.

The following authentication and single sign-on (SSO) mechanisms are supported for SAP Fiori apps:

User ID and Password

The AS ABAP user ID and password authentication functions enable authorized users to access the AS ABAP by interactively providing a user ID and password. User ID and password authentication enables you to enforce access control to your AS ABAP systems with an authentication mechanism that offers basic access protection with relatively low complexity of security configuration tasks.

Using user ID and password authentication in complex system landscapes where users must log on to multiple systems, however, increases the user work load from the required multiple entries of user IDs and passwords for system access.

X.509 Client Certificates

If you have implemented a public-key infrastructure (PKI) for user authentication in your organization, you can use X.509 client certificates by configuring the required back-end systems (ABAP or SAP HANA) to accept X.509 client certificates.

Authentication with X.509 client certificates provides the following advantages:

  • It does not require an issuing system during logon, which means that it works well in Internet-facing scenarios.

  • It is also supported for logon to the SAP GUI. Using X.509 client certificates for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

X.509 client certificates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices, this distribution can be performed centrally by a mobile device management software - for example, SAP Mobile Platform.

Kerberos/SPNego

If you access SAP Fiori apps from within your corporate network, you can enable Kerberos/SPNego authentication for the ABAP front-end server. This authentication is particularly recommended if you already have a Kerberos/SPNego infrastructure in place, for example, if you use Microsoft Active Directory.

Kerberos/SPNego authentication provides the following advantages:

  • It simplifies the logon process by reusing credentials that have already been provided, for example, during logon to the Microsoft Windows workstation. A separate logon to the ABAP front-end server is not required.

  • It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

  • It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for example, Microsoft Active Directory). As this system is typically located within the corporate network, Kerberos/SPNego cannot be used for most Internet-facing deployment scenarios. To enable Single Sign-On with Kerberos/SPNego authentication from outside your corporate network, you might have to set up a VPN connection.

Kerberos/SPNego is available with the SAP Single Sign-On product, which also provides additional authentication mechanisms, such as X.509 client certificates or a SAML Identity Provider.

SAML 2.0

If you have implemented the security assertion markup language (SAML) version 2.0 as the method of single sign-on (SSO) within your organization, you can configure the ABAP front-end server for use with SAML 2.0.

This authentication method provides the following advantages:

  • It includes extensive federation capabilities, which means that it works well in scenarios with federated user domains, where trust configuration can be complicated.

  • It includes extensive user mapping capabilities that enable you to map SAP users based on identity attributes, such as the SAP user name attribute or a user's e-mail address. This means that SAML 2.0 works well for scenarios with multiple user domains.

During the logon process, SAML 2.0 authentication requires access to an issuing system (Identity Provider). To enable single sign-on with SAML 2.0 in Internet-facing deployment scenarios that leverage its federation capabilities, you must ensure that the SAML Identity Provider is securely accessible from outside your corporate network.

SAP Logon Tickets

For logon tickets, you must configure the ABAP front-end server to issue logon tickets. Alternatively, you can use an existing system, such as a portal, in your landscape that already issues logon tickets. In addition, you must configure the required back-end systems (ABAP or SAP HANA) to accept logon tickets. You must also ensure that users in the ABAP system have the same user names as the database users in SAP HANA; user mapping is not supported. As logon tickets are transferred as browser cookies, you can only use this authentication mechanism if all systems in your system landscape are located within the same DNS domain.

SSO using X.509 Client Certificates

Authentication with X.509 client certificates uses a public-key infrastructure (PKI) to securely authenticate users. After users receive their X.509 client certificates from a certificate issuing Certification Authority (CA), they can use them to securely access SAP NetWeaver, as well as non-SAP systems. The SAP NetWeaver and the non-SAP system can authorize access requests, based on an established trust relationship with the CA. In addition, users can use their X.509 client certificates to authenticate their access to systems located on the Internet and within your company's Intranet. Thereby, you can use certificates for authentication in open environments such as the Internet.

SSO using X.509 Client Certificates

In this training, we will use X.509 client certificates to enable SSO. In this case, we have to configure SAP Web Dispatcher to forward SSL certificates for X.509 authentication to the AS ABAP system.

The SAP Web Dispatcher usually terminates SSL connections and later re-encrypts the traffic to send it to the AS ABAP system. Due to the re-encryption, the HTTP request that has to be authenticated is received on an SSL connection that was initiated with the SAP Web Dispatcher’s client certificate.

As a consequence, the SAP Web Dispatcher has to forward the original client certificate (the browser certificate) to the AS ABAP system. This is achieved by putting the original client certificate into an HTTP request header field (by default SSL_CLIENT_CERT).

The AS ABAP system cannot simply take a client certificate from an HTTP request header, because otherwise attackers are able to use abducted certificates. Therefore the AS ABAP system is only allowed to accept client certificates that have been forwarded by a trusted intermediary.

The configuration of SSL certificate forwarding in the SAP Web Dispatcher consists of three parts:

  • The client (browser) has to send its certificate.

  • The SAP Web Dispatcher has to accept and forward the client’s certificate.

  • The AS ABAP system has to accept the forwarded certificate.

For details of the configuration, refer to the SAP Web Dispatcher SSL Certificate Forwarding document that is available at https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959224.html.

Enable Single Sign-On using X.509 Client Certificates

Business Example

Note

In this exercise, when an object name or a value contains ##, replace ## with the number your trainer assigned to you.

Task 1: Sign the Key Pair for SSL – Client

Steps

  1. Open and log on to the Web Admin UI of your SAP Web Dispatcher.

    1. On the WTS, start a web browser.

    2. Enter the URL of the Web Admin UI of your SAP Web Dispatcher (https://<full qualified SAP Web Dispatcher hostname>:443$$/sap/wdisp/admin).

      Note

      You may also use the browser favorite/bookmark prepared at
      • Q team: 20 Quality Assurancefsqhost20 WDQ SAP Web Dispatcher Administration
      • P team: 30 Productionfsphost30 WDP SAP Web Dispatcher Administration

    3. At the SAP Web Dispatcher logon screen, provide the following: Usernamewebadm, and your master Password (which should be SAPWebDisp##).

  2. Create a CA request for the SAP Web Dispatcher client PSE (view SAPSSLC.pse), sign it using the SAP Secure Login Server hosted on the SMJ system, and import the response.

    Here are some hints on the SAP Secure Login Server acting as CA in this training:

    • SAP Secure Login Administration Console (SLAC) URL: https://smhost.wdf.sap.corp:59101/slac
    • Path Certificate ManagementSign certificate requests
    • Certificate Template: SSL Client Template
    • Issuer: SAP Training SSL Sub CA
    • Certificate Response Type: PKCS#7

    1. In the Web Admin UI, navigate to SSL and Trust ConfigurationPSE Management.

    2. Ensure that at Manage PSE the option SAPSSLC.pse is selected.

      Caution

      Do not change anything for SAPSSLS.pse!

    3. Choose Create CA Request.

      Choose Create CA Request

    4. Mark the complete CA Request (including the lines with the ----- signs) and save it in your clipboard.

    5. In a new web browser window/tab, launch the Secure Login Administration Console (SLAC) using the URL https://smhost.wdf.sap.corp:59101/slac.

      Note

      You may also use the browser favorite/bookmark prepared at 80 Application Lifecycle Managementsmhost90 SMJ Secure Login Administration Console.

    6. When asked for credentials, provide the logon data of your train-## user (in client 100 of system SMA, to which the UME of system SMJ is connected to).

    7. Within the SLAC, navigate to Certificate ManagementSign certificate requests.

    8. Paste the CA Request (content of your clipboard) into the Encoded Certificate Request field.

    9. Choose Show Certificate Request.

    10. Adjust the following settings:

      • End Validity: increase the suggested value (for example to one year from today)

      • Certificate Template: choose SSL Client Template

      • Issuer: choose SAP Training SSL Sub CA

      • Certificate Response Type: choose PKCS#7

      Screenshot shows Certificate Response Type option and choice of the PKCS#7 option

    11. When done, choose Sign Certificate.

    12. Mark the complete CA Response (including the lines with the ----- signs) and save it in your clipboard.

    13. Paste the complete CA Response into the Import CA Response into PSE SAPSSLC.pse field (in the Web Admin UI of SAP Web Dispatcher) and choose Import.

      Caution

      Double-check that SAPSSLC.pse is displayed (left to the Import button). Do not change anything for SAPSSLS.pse!

    14. Note that the certificate issuer changed to CN=Secure Login SSL CA, O=SAP Training, C=DE.

      Certificate issuer changed to CN=Secure Login SSL CA, O=SAP Training, C=DE

Task 2: Add your SAP Web Dispatcher Client PSE to the List of Trusted Reverse Proxies in your SAP S/4HANA System

Steps

  1. Open the extended maintenance mode for the default profile of your SAP S/4HANA system.

    1. Log on to your SAP system using the train-## user.

    2. Start transaction RZ10.

    3. At the Profile field, choose the DEFAULT (using the F4 help).

    4. Select Extended maintenance and choose Change.

  2. Note the already prepared parameter icm/trusted_reverse_proxy_0. Create a new parameter icm/trusted_reverse_proxy_1 with the corresponding settings for your SAP Web Dispatcher system.

    1. Choose ParameterCreate(L) (F5) from the menu (or button Parameter Create (F5), alternatively) to create a new parameter.

      Hint

      The new parameter is inserted above the cursor position. For optical reasons, you may select the line below the prepared parameter icm/trusted_reverse_proxy_0before creating the new parameter icm/trusted_reverse_proxy_1.
      Screenshot shows Change > Create(L) option

    2. As Parameter Name, enter icm/trusted_reverse_proxy_1.

    3. As Parameter Value, enter SUBJECT="<Subject>", ISSUER="CN=Secure Login SSL CA, O=SAP Training, C=DE" and replace <Subject> with the string you have determined in the previous step.

      • Q team: SUBJECT="CN=WDQ, OU=SSL CLIENT",ISSUER="CN=Secure Login SSL CA, O=SAP Training, C=DE"

      • P team: SUBJECT="CN=WDP, OU=SSL CLIENT",ISSUER="CN=Secure Login SSL CA, O=SAP Training, C=DE"

      Caution

      Make sure to enter both the parameter name and value correctly (including upper- and lowercase).
      Screenshot shows you how to make sure that you enter both the parameter name and value correctly

    4. Choose Copy.

    5. Choose Back (F3).

    6. Choose Yes in the Save changes? popup.

    7. Choose Copy.

    8. Choose Back (F3).

    9. Choose Save.

    10. In the Save Profile – Errors detected in parameter values. Display values? popup, choose No.

    11. In the Activate Profile – Do you want to activate the profile? popup, choose Yes.

    12. Choose Continue (twice).

      Screenshot shows the process leading up to choosing Continue

  3. Restart all ICM processes of your SAP system.

    In productive environments, you should not restart the ICM process this way (see SAP Note 2367439Avoid manual restart of ICM process).

    1. Continue working in your SAP system.

    2. Enter transaction SMICM.

    3. In the menu, choose AdministrationICMExit SoftGlobal.

    4. In the popup Are you sure you want to restart all ICM processes in the system?, choose Yes.

    5. After the ICM restart, check if the parameter icm/trusted_reverse_proxy_1 shows up with the correct value at GotoParameters.

      Screenshot shows replying Yes to the popup: Are you sure you want to restart all ICM processes in the system?

      Hint

      You will have to scroll down; the list of parameters is sorted alphabetically.

Result

Your SAP system trusts your SAP Web Dispatcher. For details on Multiple Trusted Reverse Proxies, see SAP Note 2052899.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn