How to setup the SAP Web Dispatcher with SSL Re-encryption?

There are three different scenarios involving the SAP Web Dispatcher (WDP) and HTTPS access: SSL Termination (in the WDP), SSL Re-encryption and End to End SSL. This blog will present the second scenario.

Prerequisites

• SAP Web Dispatcher 7.20 or higher
• SAPCRYPTOLIB 5.5.5 patch level 24 or higher (in this blog pl 32 is used)

Profile parameters

The standard SSL configuration demands the following three parameters:

ssl/ssl_lib     = <path>\sapcrypto.dll

ssl/server_pse  = <path>\SAPSSLS.pse

ssl/client_pse  = <path>\SAPSSLC.pse

As the WDP 7.20 or higher can connect to different systems, the following parameters were set:

wdisp/system_0 = SID=AAA, MSHOST=<FQDN1>, MSPORT=8100, SRCSRV=webdispatcher.foo.bar:10000

wdisp/system_1 = SID=BBB, MSHOST=<FQDN2>, MSPORT=8171, SRCSRV=webdispatcher.foo.bar:10001

The server ports also must be defined:

icm/server_port_0 = PROT=HTTP,PORT=9999

icm/server_port_1 = PROT=HTTPS,PORT=10000

icm/server_port_2 = PROT=HTTPS,PORT=10001

As the WDP will perform a re-encryption of the data, the parameter below must be set:

wdisp/ssl_encrypt = 1

At last, but not least, for testing purposes, the HTML dump into the trace will be enabled, along with a trace level 3. Important: the trace files will be HUGE! The parameters below should be set only for a quick test or for error analysis. The default trace level (i.e. 1) must be used in productive systems (and for security matters, the HTML dump should not be active).

icm/trace_secured_data = 1

rdisp/TRACE = 3

Checking the configuration

As soon as the profile file is saved, one can test the configuration by running:

sapwebdisp pf=sapwebdisp.pfl -checkconfig

No error message is expected (the result of the -checkconfig is the same as shown here)

The WDP is now ready to work!

Analyzing the scenario and the dev_webdisp trace file

Similar to other scenarios, the trace level 3 recorded in the dev_webdisp has plenty information. From a test calling a giving internet service (WEBGUI, for example) it is possible to see the moment the request reached the WDP:

"...

[Thr 6876] IcmWorkerThread: worker 2 got the semaphore

[Thr 6876] REQ TRACE BEGIN: 0/18/1

[Thr 6876] REQUEST:

    Type: ACCEPT_CONNECTION    Index = 2

[Thr 6876] CONNECTION (id=0/18):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 147, protocol: HTTPS(2)

    local host:  <WDP IP>:10000 ()

    remote host: <Client IP>:53691 ()

    status: NOP

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <0>      MPI response:        <0>  

request_buf_size:   0        response_buf_size:   0    

request_buf_used:   0        response_buf_used:   0    

request_buf_offset: 0 response_buf_offset: 0    

..."

Next it is possible to check the SSL handshake between the client and the server (WDP):

"...

[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=0000000002C5C6E0, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K

[Thr 6876]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

[Thr 6876]     out: sssl_hdl = 0000000002D7D810

[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)

[Thr 6876] NiIBlockMode: set blockmode for hdl 147 TRUE

[Thr 6876]   SSL NI-sock: local=<WDP IP>:10000 peer=<Client IP>:53691

[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7D810, ni_hdl=147)==SAP_O_K

[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7D810)

[Thr 6876] Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:SSL_RSA_EXPORT_WITH_RC4_40_MD5"

[Thr 6876] Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_MD5"

[Thr 6876]   No Client Certificate

[Thr 6876]   New session (TLSv1.0)

[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53EE4, buf_len= 32 }

[Thr 6876]    00000: 5f d1 b3 37 34 1f 33 fc  84 a5 d8 c3 01 4f fe b1   _..74.3. .....O..

[Thr 6876] 00010: 33 99 af e4 20 0f 1a 88  77 24 e2 2f 4a d8 64 c6   3... ... w$./J.d.

[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7D810)==SAP_O_K

[Thr 6876] status = "new SSL session, NO client cert"

..."

The request is then read from the connection:

"...

[Thr 6876] IcmReadFromConn(id=0/18): read 443 bytes, 1 readops (timeout 0)

[Thr 6876] Address Offset  IcmReadFromConn received

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|

[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|

[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a416363 6570743a |TTP/1.1..Accept:|

[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a4163 63657074 2d4c616e | */*..Accept-Lan|

..."

The WDP will reach the web application server ABAP via HTTPS:

"...

[Thr 6876] HttpPortTableMatchPort: Port 0, webdispatcher.foo.bar:10000 (<WDP IP>:10000) matches request

[Thr 6876] ICR: IcrFindTargetSystem(0000000002D614F0, '/sap/bc/gui/sap/its/webgui' -> 0

[Thr 6876] HttpGetRouteTargetSystem: SID='AAA'

[Thr 6876] ICT: IctLookupPathTable() -> 0

[Thr 6876] HTR: found stack ABAP for URL /sap/bc/gui/sap/its/webgui

[Thr 6876] HTR: routing destination type = ICF/ABAP .

[Thr 6876] HTR: No esid found in request

[Thr 6876] HTR: HtrIExtractSessionID -> '' 0

[Thr 6876] HTR: stateless request (no valid session ID found) or initial request for stored session id

[Thr 6876] ICR: IcrIGetMinLoadServer: server 'HOST_AAA_00'1 delta=400 load=0/0valid=1 resp=1 capacity=10

[Thr 6876] ICR: IcrIFindMatchingPort for prot=1 stack=1 vhost=-1

[Thr 6876] ICR: IcrIFindMatchingPort: compare with 0 0 8000 10

[Thr 6876] ICR: IcrIFindMatchingPort: compare with 1 0 443 10

[Thr 6876] ICR: IcrIFindMatchingPort: found matching port: prot=1 vhost=0 port=443 f=10

[Thr 6876] ICR: IcrIGetMinLoadServer: near-zero load #0: HOST_AAA_00

[Thr 6876] ICR: IcrAttachToServer: next destination server 'HOST_AAA_00'1 10 1 0 port:443/1/0

..."

Since the connection to the server uses HTTPS, a new SSL handshake is necessary:

"...

[Thr 6876] NiHLGetNodeAddr: found hostname '<FQDN WAS>' in cache

[Thr 6876] NiIGetNodeAddr: hostname '<FQDN WAS>' = addr <WAS IP>

[Thr 6876] NiIGetServNo: servicename '443' = port 443

[Thr 6876] NiICreateHandle: hdl 153 state NI_INITIAL_CON

[Thr 6876] NiIInitSocket: set default settings for new hdl 153/sock 32916 (I4; ST)

[Thr 6876] NiIBlockMode: set blockmode for hdl 153 FALSE

[Thr 6876] NiIConnectSocket: hdl 153 is connecting to <WAS IP>:443 (timeout=5000)

[Thr 6876] SiPeekPendConn: connection of sock 32916 established

[Thr 6876] NiICheckPendConnection: connection of hdl 153 to <WAS IP>:443 established

[Thr 6876] NiIConnect: hdl 153 took local address <WDP IP>:53692

[Thr 6876] NiIConnect: state of hdl 153 NI_CONNECTED

[Thr 6876] IcmConnPoolConnect: Connection to host: <FQDN WAS>, service: 443 established (nihdl=153)

[Thr 6876] ->> SapSSLSessionInit(&sssl_hdl=00000000026CC6E8, role=1 (CLIENT), auth_type=0 (NO_CLIENT_CERT))

[Thr 6876] <<- SapSSLSessionInit()==SAP_O_K

[Thr 6876]      in: args = "role=3 (ANONYMOUS-CLIENT), auth_type=0 (NO_CLIENT_CERT)"

[Thr 6876]     out: sssl_hdl = 0000000002D7DA30

[Thr 6876] ->> SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)

[Thr 6876] NiIBlockMode: set blockmode for hdl 153 TRUE

[Thr 6876]   SSL NI-sock: local=<WDP IP>:53692 peer=<WAS IP>:443

[Thr 6876] <<- SapSSLSetNiHdl(sssl_hdl=0000000002D7DA30, ni_hdl=153)==SAP_O_K

[Thr 6876] ->> SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30, &hostname=0000000002D4FE20)

[Thr 6876] <<- SapSSLSetTargetHostname(sssl_hdl=0000000002D7DA30)==SAP_O_K

[Thr 6876]      in: hostname = "<FQDN WAS>"

[Thr 6876] ->> SapSSLSessionStart(sssl_hdl=0000000002D7DA30)

[Thr 6876] SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 6876] SecudeSSL_SessionStart(): created new SSL session (TLSv1.0)

[Thr 6876]   Server Certificate available (FCPath-Len= 0)

[Thr 6876]   Server's List of trusted CA DNames (from cert-request message):

[Thr 6876]     #1  "CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??"

[Thr 6876]     #2  "CN=kkkkkkkkkkkk, O=wwwwwwwwww, C=??"

[Thr 6876] secudessl_AddSSL2Cache(): Creating new SSSL_CACHE entry

[Thr 6876]   HexDump of native SSL session ID { &buf= 0000000002D53F64, buf_len= 32 }

[Thr 6876] 00000: 5e 4a f0 f1 1d 0e 94 c8  c8 37 d0 c5 66 4b c1 e0   ^J...... .7..fK..

[Thr 6876] 00010: 80 26 ee b5 b1 0e 36 bb  92 45 10 c9 3a 8d ad e4   .&....6. .E..:...

...

[Thr 6876]   Subject DN: CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??

[Thr 6876] Issuer  DN: CN=xxxxxxxxxxxx, OU=yyyyyyyyy, O=zzzzzzzzzzzzzzzzzz, C=??

[Thr 6876]   Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA

[Thr 6876] MatchTargetName("<FQDN WAS>", CN="<FQDN WAS>") == EXACT match

[Thr 6876] <<- SapSSLSessionStart(sssl_hdl=0000000002D7DA30)==SAP_O_K

[Thr 6876] status = "new SSL session"

[Thr 6876] Server DN = " CN=<FQDN WAS>, OU=aaaaaaa, OU=bbbbbbbbbbbbbb, OU=ccccccc, O=ddddd, C=??"

[Thr 6876] IcmConnPoolNewEntry: created new entry 000000000B8A0930[0] for pool 000000000B809610 (nihdl=153, ssl=0000000002D7DA30)

[Thr 6876] ICR: IcrAttachToServer('!DIAGS' 1 2 4100 1 port:443/1/0) 0-> 0

[Thr 6876] HTR: routing to destination 'HOST_AAA_00' (balanceable=0)

[Thr 6876] server triggered

[Thr 6876]    Pool Entry 000000000B8A0930:

[Thr 6876]    NI: 153, SSL: 0000000002D7DA30, allocated: 1, inuse: 1, desc: 000000000B8096B0

..."

A few seconds later the WDP sends the request to the application server:

"...

[Thr 6876] local host: <WDP IP>:53692

[Thr 6876] remote host: <WAS IP>:443

[Thr 6876] HTR: forwarding buffer to server (443)

[Thr 6876] Address Offset  Send to AppServer via net:

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  47455420 2f736170 2f62632f 6775692f |GET /sap/bc/gui/|

[Thr 6876] 0000000003F76068 000016  7361702f 6974732f 77656267 75692048 |sap/its/webgui H|

[Thr 6876] 0000000003F76078 000032  5454502f 312e310d 0a616363 6570743a |TTP/1.1..accept:|

[Thr 6876] 0000000003F76088 000048  202a2f2a 0d0a6163 63657074 2d6c616e | */*..accept-lan|

..."

A response is received from the application server:

"...

[Thr 6876] Address Offset  IcmReadFromPartner received

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|

[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|

[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|

[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|

[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|

[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|

..."

The response is then re-encrypted and sent to the web browser:

"...

[Thr 6876] IcmPlCheckRetVal: Next status: READ_REQUEST(1)

[Thr 6876] IcmHandleNetWrite(id=0/18): HandleServData returned: 1

[Thr 6876] Address    Offset  IcmWriteToConn:

[Thr 6876] ------------------------------------------------------------------------

[Thr 6876] 0000000003F76058 000000  48545450 2f312e31 20323030 204f4b0d |HTTP/1.1 200 OK.|

[Thr 6876] 0000000003F76068 000016  0a636f6e 74656e74 2d747970 653a2074 |.content-type: t|

[Thr 6876] 0000000003F76078 000032  6578742f 68746d6c 3b206368 61727365 |ext/html; charse|

[Thr 6876] 0000000003F76088  000048 743d7574 662d380d 0a636f6e 74656e74 |t=utf-8..content|

[Thr 6876] 0000000003F76098  000064 2d656e63 6f64696e 673a2067 7a69700d |-encoding: gzip.|

[Thr 6876] 0000000003F760A8  000080 0a636f6e 74656e74 2d6c656e 6774683a |.content-length:|

..."

Finally, the thread is free to wait a new request:

"...

[Thr 6876] IcmWriteToConn(id=0/18): wrote data to partner (len = 5243)

[Thr 6876] IcmNetBufFree: free netbuf: 0000000000759C10 out of 1 used

[Thr 6876] MPI<5>0#4 DiscardOutbuf 0 0 0 1a5fa0 0 0 -> 0000000003F75FF0 MPI_OK

[Thr 6876] NiWakeupExec: send wakeup signal to 49627->64998 (sock 33032)

[Thr 6876] IcmConnRollOut: connection (id=0/18) rolled out: reason:1 role:1 timeout:60

[Thr 6876] CONNECTION (id=0/18):

    used: 1, type: default, role: Server(1), stateful: 0

    NI_HDL: 147, protocol: HTTPS(2)

    local host:  <WDP IP>:10000 ()

    remote host: <Client IP>:53691 ()

    status: READ_REQUEST

    connect time: xx.zz.yyyy aa:bb:cc

    MPI request:        <4>      MPI response:        <5>  

request_buf_size:   0        response_buf_size:   0    

request_buf_used:   0        response_buf_used:   0    

request_buf_offset: 0 response_buf_offset: 0    

[Thr 6876] IcmWorkerThread: SSL Session rolled out

[Thr 6876] REQ TRACE END: 0/18/1

[Thr 6876] IcmWorkerThread: Thread 2: Waiting for event

..."

If the parameter "icm/trace_secured_data = 1" is not set, it is not possible to see the HTML content. The following log entry appears:

"…

BINDUMP of content denied

…"

Stay tuned for my next blog about End-to-End SSL in the SAP Web Dispatcher!