How to Configure SAP Web Dispatcher as a Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI

Similar documents
How-To Guide SAP Cloud for Customer Document Version: How to Configure SAP HCI basic authentication for SAP Cloud for Customer

How-To Guide SAP NetWeaver Document Version: How To Guide - Configure SSL in ABAP System

How-to-Guide: SAP Web Dispatcher for Fiori Applications

How to Extend SAP Cloud for Customer - SAP On- Premise Pre-Packaged Integration Content (PI/HCI)

How-To Guide SAP Cloud for Customer Document Version: How to replicate marketing attributes from SAP CRM to SAP Cloud for Customer

How to Configure an Example SAP Cloud Applications Studio (PDI) Solution for SAP Cloud for Customer

Upgrade: SAP Mobile Platform Server for Windows SAP Mobile Platform 3.0 SP02

Software and Delivery Requirements

Installation Guide: Agentry Device Clients SAP Mobile Platform 2.3

Configuring Secure Network Communications for SAP

R49 Using SAP Payment Engine for payment transactions. Process Diagram

SAP HANA Cloud Integration CUSTOMER

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

SAP Web Application Server Security

SAP Project Portfolio Monitoring Rapid- Deployment Solution: Software Requirements

SFSF EC to 3 rd party payroll Integration Software and Delivery Requirements

Getting Started with the License Administration Workbench 2.0 (LAW 2.0)

How to Implement Mash Up to Show ECC Screen in SAP Cloud for Customer

How-To Guide SAP Cloud for Customer Document Version: How to Perform Initial Load of data from SAP ERP to SAP Cloud for Customer

How To Make Your Software More Secure

Installing and Configuring the HANA Cloud Connector for On-premise OData Access

HTTPS Configuration for SAP Connector

Rapid database migration of SAP Business Suite to SAP HANA (V4.10): Software and Delivery Requirements. SAP HANA November 2014 English

SAP ERP E-Commerce and SAP CRM Web Channel Enablement versions available on the market

Landscape Design and Integration. SAP Mobile Platform 3.0 SP02

Integration capabilities of SAP S/4HANA to SAP Cloud Solutions

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

Data Integration using Integration Gateway. SAP Mobile Platform 3.0 SP02

SAP Best Practices for SAP Mobile Secure Cloud Configuration March 2015

Ariba Procure-to-Pay Integration rapiddeployment

SAP Sales and Operations Planning

SAP BusinessObjects Business Intelligence Suite Document Version: 4.1 Support Package Patch 3.x Update Guide

HP Device Manager 4.7

END-TO-END SSL SETUP SAP WEB DISPATCHER Helps you to setup the End-To-End SSL Scenario for SAP Web Dispatcher

SAP Web Application Server Security

Enabling Single Signon with IBM Cognos 8 BI MR1 and SAP Enterprise Portal

SAP Business Intelligence Suite Patch 10.x Update Guide

Complementary Demo Guide

Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector

SEPA in SAP CRM. Application Innovation, CRM & Service Industries. Customer

SAP NetWeaver Identity Management Identity Services Configuration Guide

Enabling Single Signon with IBM Cognos ReportNet and SAP Enterprise Portal

Remote Connectivity Infrastructure

SAP BusinessObjects Business Intelligence 4 Innovation and Implementation

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SAP Fiori Infrastructure rapid-deployment solution: Software and Delivery Requirements

How-to guide: Monitoring of standalone Hosts. This guide explains how you can enable monitoring for standalone hosts in SAP Solution Manager

R/3 and J2EE Setup for Digital Signature on Form 16 in HR Systems

CUSTOMER SAP Afaria Windows Phone and Windows 8.1 Enrollment

How to Configure Integration between SAP Cloud for Customer and SAP hybris Marketing

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

SAP Cloud for Customer integration with SAP ERP: Software and Delivery Requirements

LVS Troubleshooting Common issues and solutions

SAP Payroll Processing control center rapiddeployment

SAP MII for Manufacturing rapid-deployment solution: Software Requirements

Create and run apps on HANA Cloud in SAP Web IDE

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Partner Certification to Operate SAP Solutions and SAP Software Environments

4 Ways That Electric Vehicles Will Impact Utilities

Price and Revenue Management - Manual Price Changes. SAP Best Practices for Retail

K75 SAP Payment Engine for Credit transfer (SWIFT & SEPA) Process Diagram

CUSTOMER Access Control Guide

SAP Landscape Transformation (SLT) Replication Server User Guide

How-To Guide for SAP Advanced Planning and Optimization, Demand Planning Add-In for Microsoft Excel

Contents. About this Support Package / Patch...5. To install the EPM Add-in for Microsoft Office Support Package 15 / Patch XX...

Software and Delivery Requirements

Transform HR into a Best-Run Business Best People and Talent: Gain a Trusted Partner in the Business Transformation Services Group

How to Schedule Report Execution and Mailing

Mobile Secure Cloud Edition Document Version: Mobile Application Management

Extend the SAP FIORI app HCM Timesheet Approval

Two UX Solutions Now Included with SAP Software

Implementing SSO between the Enterprise Portal and the EPM Add-In

SAP BW on HANA & HANA Smart Data Access Setup

Integration of SAP Netweaver User Management with LDAP

SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features

Power Smart Business Operations with Real-Time Process Intelligence

SAP HANA Big Data Intelligence rapiddeployment

Mobile app for Android Version 1.2.x, December 2015

K88 - Additional Business Operations for Loans. Process Diagram

Mobile app for Android Version 1.0.x, January 2014

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

SAP Business One mobile app for Android Version 1.0.x November 2013

Mobile Secure Cloud Edition Document Version: ios Application Signing

Set Up Hortonworks Hadoop with SQL Anywhere

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

Certification Guide Network Connectivity for SAP on Premise and Cloud Solutions Integration

SBOP Analysis 2.1, edition for Microsoft Office Additional PAM Information

Single Sign-On between SAP Portal and SuccessFactors

Software Requirements

Elevate Your Customer Engagement Strategy with Cloud Services

Multi Channel Sales Order Management: Mail Order. SAP Best Practices for Retail

Improve Security, Lower Risk, and Increase Compliance Using Single Sign-On

SAP Mobile Documents. December, 2015

GR5 Access Request. Process Diagram

Integration Capabilities of SAP S/4HANA to SAP Cloud Solutions

Transcription:

How-To Guide SAP NetWeaver Document Version: 1.0-2014-02-02 How to Configure SAP Web Dispatcher as a Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI

Document History Document Version Description 1.0 First official release of this guide Document History 2014 SAP AG or an SAP affiliate company. All rights reserved. 2

Table of Contents 1 Business Scenario... 4 2 Background Information... 4 3 Prerequisites... 4 4 Step-by-Step Procedure... 5 4.1 Installation of SAP Web Dispatcher... 5 4.2 Update SAP Web Dispatcher Kernel... 9 4.3 SAP Web Dispatcher SSL Configuration... 9 4.4 SAP Web Dispatcher Configuration for x.509... 14 4.5 Add client root certificate from WD into SSL Server Standard... 18 4.6 Add Parameters to the SAP ABAP Profile... 20 Table of Contents 2014 SAP AG or an SAP affiliate company. All rights reserved. 3

1 Business Scenario This document explains the required steps to configure SAP Web Dispatcher as reverse proxy for an onpremise CRM or ECC system for integration with SAP Cloud for Customers using HANA Cloud Integration. 2 Background Information This scenario covers HTTPS communication from HCI all the way to CRM or ECC with SSL termination in the SAP Web Dispatcher.This configuration is based on the steps to enable x.509 authentication, which is required when HANA Cloud Integration is used as integration layer. In this case we use a Windows server to illustrate the process, but the steps should be very similar in other operating systems systems. Note: There could be other parameters involved for proper operation of SSL configuration and Web Dispatcher, but this How-to document describes the minimum required for this scenario to work. 3 Prerequisites The chief prerequisite is that the SAP CRM or ECC systems are already configured with SSL. These tasks should be performed by a qualified SAP Basis Administrator, with a solid conceptual understanding of SSL and certificate-based encryption concepts. Business Scenario 2014 SAP AG or an SAP affiliate company. All rights reserved. 4

... 4 Step-by-Step Procedure This scenario covers and HTTPS communication from HCI all the way to CRM with SSL termination in the SAP Web Dispatcher. This configuration is based in the required steps to enable x.509 authentication required when HANA Cloud Integration is used as integration layer. In this case we use a Windows server, but the steps should be very similar for other OS systems. 4.1 Installation of SAP Web Dispatcher There are multiple ways to install the SAP Web Dispatcher but in this case we will use the SAPINST tool, it is also possible to use the SWPM or do manual installation. 1. Start SAPINST in the host where SAP Web Dispatcher will be installed. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 5

2. Select the option to install Web Dispatcher, and click Next. 3. Enter the system name and location of the installation. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 6

4. Enter the master password. 5. Enter the location of the non-unicode kernel. 6. Enter the hostname and port number of the message server of the CRM or ECC system. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 7

7. Enter the system number, port number and configuration size. 8. If required, activate the ICF services. 9. The installation proceeds Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 8

...... 10. Click OK to finish the installation. 4.2 Update SAP Web Dispatcher Kernel SAP note 908097 exaplains the process to update the kernel and the different release convinations that are supported. 4.3 SAP Web Dispatcher SSL Configuration 1. Download the latest SAP Cryptographic tools. This package is avaialable in the SAP Marketplace under SWDC. 2. Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel. This file include the sapgenpse and the library file. For example: sapgenpse.exe sapcrypto.dll Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 9

3. Copy the file ticket to the sec directory under the Web Dispatcher instance directory. 4. Add the following SSL relevant parameters to the Web Dispatcher profile: DIR_INSTANCE ssl/ssl_lib ssl/server_pse ssl/client_pse icm/server_port_1 For example: DIR_INSTANCE = D:\usr\sap\WCR\W35 ssl/ssl_lib=d:\usr\sap\wcr\sys\exe\nuc\ntamd64\sapcrypto.dll ssl/server_pse=d:\usr\sap\wcr\w35\sec\sapssls.pse ssl/client_pse=d:\usr\sap\wcr\w35\sec\sapsslc.pse icm/server_port_1 = PROT=HTTPS, PORT=1445, TIMEOUT=900 5. Set parameter wdisp/ssl_encrypt. This parameter determines how the SAP Web Dispatcher handles inbound HTTP(S) requests. The following values are permitted: 0: Forward the request unencrypted. 1: Encrypt the request again with SSL, in case the request arrived via HTTPS protocol. 2: Always forward the request encrypted with SSL. 6. Create Server PSE using the following command: sapgenpse get_pse <additional_options> -p <PSE_Name> r <cert_req_file_name> -x <PIN> <Distinguished_Name> For example: sapgenpse get_pse -p SAPSSLS.pse -x password -r D:\usr\sap\WCR\W35\sec\cert.req "CN=hostname.domain, OU=SAPLabs, OU=SAP, O=SAP, C=US" It is important that the CN used match the DNS name that will be used to communicate from HCI to the CRM/ECC system. The sapgenpse command will create two files, the actual PSE file and the certificate request for signature. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 10

It is possible to use the STRUST to create both. More details of both methods may be found via the link below: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a11 4084/content.htm 7. Sign certificate request by a CA. For testing purposes in this example we are using the SSL test Server certificate under the SAP Trust Center in the marketplace, but you can use your own CA. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 11

8. Click in SSL Test server Certificate and then in Test Now. 9. Enter the certificate request and click Continue. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 12

10. Copy the full string and paste into a text file 11. Import certificate request response into PSE. First, obtain the root certificate of the CA that was used to sign your certificate. In this case we get it from the download area for the SAP SSL Test Server CA Certificate. 12. Execute the following command to import the response into the PSE: sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN> Below is an example sapgenpse import_own_cert -c D:\usr\sap\WCR\W33\sec\signedcert.cer -p SAPSSLS.pse -x password -r D:\usr\sap\WCR\W33\sec\getCert.cer More details may be found via the following link: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 13

... 13. Use the following command to create a credentials file: sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O [<Windows_Domain>\]<user_ID> For example: sapgenpse seclogin -p D:\usr\sap\WCR\W33\sec\SAPSSLS.pse -x password -O SAPServiceWCR 14. Restart the Web Dispatcher. 4.4 SAP Web Dispatcher Configuration for x.509 1. Use the following command to create the server PSE: sapgenpse get_pse <additional_options> -p <PSE_Name> r <cert_req_file_name> -x <PIN> <Distinguished_Name> For example: sapgenpse get_pse -p SAPSSLC.pse -x password -r D:\usr\sap\WCR\W35\sec\clientcert.req "CN=WCR_35, OU=SAPLabs, OU=SAP, O=SAP, C=US" It is important to note the CN used because later on will be used as value for one of the parameter profiles in CRM/ECC. The previous command will create two files, the actual PSE file and the certificate request for signature It is possible to use the STRUST to create both. More details of both methods in the link below: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 14

2. Sign certificate request by a CA. For testing purposes, in this example, the SSL test Server certificate under the SAP Trust Center in the marketplace is used, but you can use your own CA. 3. Click in SSL Test server Certificate and then in Test Now. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 15

4. Enter the certificate request and click Continue. 5. Copy the full string and paste into a text file. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 16

6. Import certificate request response into PSE. Obtain the root certificate of the CA that was used to sign your certificate, in this case we get it from the download area for the SAP SSL Test Server CA.Certificate. 7. Execute the following command to import the response into the PSE: sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN> For example: sapgenpse import_own_cert -c D:\usr\sap\WCR\W35\sec\signedclientcert.cer -p SAPSSLC.pse -x password -r D:\usr\sap\WCR\W35\sec\getCert.cer More details on: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm 8. Use the following command to create a credentials file: sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O [<Windows_Domain>\]<user_ID> For example: sapgenpse seclogin -p D:\usr\sap\WCR\W33\sec\SAPSSLC.pse -x password -O SAPServiceWCR Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 17

9. Use the following command to import the SSL root certificate or SSL server certificate from your CRM/ECC system. This will allow to establish a connection from the Web Dispatcher into the ICM of the application server..maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [-x <PIN>] For example: sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\getCert.cer -p D:\usr\sap\WCR\W35\sec\SAPSSLC.pse -x password 10. Set the following parameters in the profile of the Web Dispatcher: wdisp/ssl_encrypt = 1 icm/https/forward_ccert_as_header = true icm/https/verify_client=1 wdisp/ssl_auth = 2 wdisp/ssl_cred = D:\usr\sap\WCR\W35\sec\SAPSSLC.pse 11. Use the following command to import the root certificate used to sign the HCI x.509 certificate into the SSL server PSE. sapgenpse maintain_pk [<additional options>] [-a <cert_file>] [-d <number>] -p <PSE_name> [- x <PIN>] For example: sapgenpse maintain_pk -a D:\usr\sap\WCR\W35\sec\SAPPassportCA.cer -p SAPSSLS.pse -x password 12. Restart the Web Dispatcher. 4.5 Add client root certificate from WD into SSL Server Standard 1. Call transaction STRUST 2. Open the SSL Server server Standard Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 18

3. Load the root certificate used to sign the client certificate from the SAP Web Dispatcher clicking in Import Certificate button 4. Select the file that needs to be upload and load the file hitting enter 5. Click in Add to Certificate List Button Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 19

... 6. Click in the Save 4.6 Add Parameters to the SAP ABAP Profile 7. The following two parameters must be added to the SAP ABAP profile: icm/https/trust_client_with_issuer icm/https/trust_client_with_subject The subject here is the same subject that was used during the creation of the client PSE of the Web Dispatcher: icm/https/trust_client_with_subject = CN=WCR_15, OU=SAPLabs, OU=SAP, OU=Server, O=SAP Trust Community, C=DE This is the entity who signed the client PSE certificate from the Web Dispatcher, the issuer of the certificate. icm/https/trust_client_with_issuer = CN=Server CA, OU=Server, O=SAP Trust Community, C=DE 8. Restart the ABAP system. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 20

www.sap.com/contactsap www.sdn.sap.com/irj/sdn/howtoguides 2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information