Professional Documents
Culture Documents
1. 2. 3. 4. 5. Purpose . 1 What is Web dispatcher? ...................................................... 1 What are the functions of SAP Web dispatcher? 2 Architecture of the SAP Web Dispatcher ..... 2 Server Selection and Load Balancing Using the SAP Web Dispatcher
5.1. 5.2. Server Selection ..... 3 Load Balancing ....... 5
6.
6.4.
11
7.
1. Purpose:
This paper is intended to introduce Web Dispatcher and give detailed information on the associated advantages, implementation scenarios and SSL options. In general, below are the few questions those arise from the customer when they are looking towards protection / load balancing of an SAP system. What is SAP Web dispatcher? What are the functions of SAP Web dispatcher? Is it technically possible to have a single Web Dispatcher instance to support multiple backend systems? How to use the SAP Web Dispatcher to distribute workload across the different instances of an SAP system? How to configure the SAP Web Dispatcher to Support SSL?
SAP web dispatcher forwards the incoming requests (HTTP, HTTPS) in turn to the SAP Web AS of the SAP system. The number of requests that are sent to a Web AS ABAP depends on its capacity, which depends on the number of configured dialog work processes. The capacity of a Web AS Java depends on the number of Server Processes. If the application is stateful, the SAP Web dispatcher ensures that with the next request, the user is forwarded to the server that is processing his or her application. To do this, it uses the session cookie with HTTP connections, and the client IP address with end-to-end SSL. Furthermore, the SAP Web dispatcher decides whether the incoming request should be forwarded to an ABAP or Java server.
5. Server Selection and Load Balancing Using the SAP Web Dispatcher:
Process Flow:
The SAP Web Dispatcher first checks whether the request is an ABAP or J2EE request. This distinction is based on the analysis of the URL prefix. For the URL http://portal.mindtree.com/A/B/C/Default.html, the prefix to be analyzed is the character string /A/B/C/. If this prefix is known in the ICF, this is an ABAP request. If the URL contains only one forward slash (/) after the host name, special handling is required: The value of the profile parameter is/HTTP/default_root_hdl determines the destination. In the case of an ABAP request, the SAP Web Dispatcher first uses a cookie to identify whether the request concerns a stateful application. If this exists, the decision is simple. The request is sent to the application server that is processing this session.For a stateless application, the internal group !DIAG is selected, which consists of all ABAP application servers. This is used only if a
logon group (maintained with transaction SMLG) is inherited or specified explicitly in the ICF service. AS Java also recognizes the concept of logon groups. If a specific logon group has not been configured for the prefix of the Java request called, the SAP Web Dispatcher uses the internal group !J2EE. In the case of a stateful application, this is indicated through the session information in the URL or a load-balancing cookie. For compatibility reasons, the session cookie jsessionid can also still be used here. The SAP Web Dispatcher obtains information about the logon groups and URL mapping from an ABAP application server via HTTP or HTTPS. For this to happen, the services /sap/public/icman and /sap/public/icf_info/* must be activated in the ICF.
6.3. Procedure:
6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL Connection to the Backend Server:
If the SAP Web Dispatcher is to pass the SSL connection to the server in the backend, then, in addition to the standard parameters, set the following profile parameter in the SAP Web Dispatchers profile:
icm/server_port_<xx>=PROT=ROUTER,PORT=<port>,TIMEOUT=<timeout_in_seconds>
6.3.2. Configuring the SAP Web Dispatcher to Terminate the SSL Connection
If the SAP Web Dispatcher is to terminate the SSL connection, then it must possess a security environment. To set up this security environment, perform the following: A. Install the SAP Cryptographic Library on the SAP Web Dispatcher. Download the SAP Cryptographic software from the market place, UNCAR the files using SAPCAR. Extract the contents of the SAP Cryptographic Library installation package. Copy the library file and the configuration tool sapgenpse.exe to a local directory, for example, the directory where the SAP Web Dispatcher is located. For this documentation, we will use the directory C:\Program Files\SAP\SAPWebDisp. Check the file permissions for the SAP Cryptographic Library. If, for example, you copied the library to its location using ftp on UNIX, then the file permissions may not be set correctly. Make sure that the user that runs the SAP Web Dispatcher is able to execute the library's functions. Create a sub-directory called sec and copy the ticket file to this directory. This is also the directory where the SAP Web Dispatchers PSEs and credentials are to be located. Location of the SAP Cryptographic Library C:\Program Files\SAP\SAPWebDisp\sapcrypto.dll
Location of the Configuration Tool sapgenpse C:\Program Files\SAP\SAPWebDisp\sapgenpse.exe Location of the License Ticket C:\Program Files\SAP\SAPWebDisp\sec\ticket
B. Set the profile parameters. Make the below entries in the instance profile: --------------------------------------------------------------------------------SAPSYSTEMNAME # can be created. # The number must be different from the other SAP instances # on the host. SAPSYSTEM = 26 # Set DIR_INSTANCE so that the SAP Cryptographic Library can # find the sec sub-directory. DIR_INSTANCE = C:\Program Files\SAP\SAPWebDisp # Message Server Description rdisp/mshost = xyzmain ms/http_port = 8000 ms/https_port = 443 # Description of the Access Points icm/server_port_0 = PROT=HTTP, PORT=1081, TIMEOUT=900 icm/server_port_1 = PROT=HTTPS, PORT=443, TIMEOUT=900 icm/HTTPS/verify_client = 0 # Parameters for the SAP Cryptographic Library ssl/ssl_lib = C:\Program Files\SAP\SAPWebDisp\sapcrypto.dll ssl/server_pse = C:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse # Parameters for Using SSL to the backend server wdisp/ssl_encrypt = 2 wdisp/ssl_auth = 2 wdisp/ssl_cred = SAPSSLC.pse wdisp/ssl_certhost = www.test.com = XYZ # SAPSYSTEM must be set so that the shared memory areas
---------------------------------------------------------------------------------
C. Create the SAP Web Dispatchers PSE(s) and certificate request(s). i. Creating the SAP Web Dispatchers PSEs Using the Trust Manager To create each PSE (SSL server PSE and SSL client PSE), using the trust manager: Start the trust manager (transaction STRUST). Using the context menu for the File node, choose Create (RSA). The Create PSE dialog appears. Enter the Distinguished Name parts in the corresponding fields according to your CAs naming convention. Save the PSE to local file (for example, the Web Dispatchers SECUDIR directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively. Creating the SAP Web Dispatchers PSEs and Certificate Requests Using SAPGENPSE As an alternative, you can use the configuration tool sapgenpse to create the SAP Web Dispatchers PSEs. Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, then set it using the command line as shown below. set SECUDIR=<SECUDIR_directory> Use the tools command get_pse as shown below to create the SAP Web Dispatchers PSE. sapgenpse get_pse <additional_options> -p <PSE_Name> r <cert_req_file_name> -x <PIN> <Distinguished_Name> Where: -p: Path and file name for the PSE.If the complete path is not included, then the PSE file is created in the SECUDIR directory. -r: File name for the certificate request -x: PIN that protects the PSE
ii.
D. Send the certificate request(s) to a CA to be signed. For each certificate request that you created, send the contents of the certificate request to your CA. The CA will validate the information contained in the certificate request (according to its own policy) and return a response that contains the signed public-key certificate. E. Import the certificate request response(s) into the PSE. i. Importing the Certificate Request Response Using the Trust Manager If you used the trust manager to create the SAP Web Dispatchers PSE, then you can easily use it again to import the certificate request response. For each of the PSEs that you created, perform the following: If the certificate request dialog is still open, then close it. If the SAP Web Dispatchers PSE is not loaded in the PSE maintenance section, then load it by selecting the File node with a double-click and selecting the PSE from the file system. In the PSE maintenance section, choose Import Cert. Response. The dialog for the certificate response appears. Insert the contents of the certificate request response into the dialogs text box either using Copy&Paste or by loading the file from the file system.The signed public-key certificate is imported into the SAP Web Dispatchers PSE, which is displayed in the PSE maintenance section. You can view the certificate by selecting it with a double-click. The certificate information is then shown in the certificate maintenance section. Create a PIN for the PSE. Importing the Certificate Request Response Using SAPGENPSE As an alternative, you can use the configuration tool sapgenpse to import the certificate request response into the PSEs. Use the tools command import_own_cert as shown below.
sapgenpse import_own_cert <Additional_options> <Cert_file> [-r <RootCA_cert_file>] -x <PIN> -p <PSE_file> -c
ii.
Where -p: Path and file name of the PSE. -c: Path and file name of the certificate request respons -r: File containing the CAs root certificate -x: PIN that protects the PSE
10
F. Create credentials for the SAP Web Dispatcher. Use the following command line to open each PSE and create credentials. sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O [<Windows_Domain>\]<user_ID> Where: -p: Path and file name for the PSE. -x: PIN that protects the PSE -O: User for which the credentials are created. (The user that runs the SAP Web Dispatcher process.) G. Restart the SAP Web Dispatcher. H. Test the connection. Start a BSP using an HTTPS connection to your SAP Web Dispatcher and the corresponding SSL port. If your Web browser cannot completely verify the SAP Web Dispatcher's public-key certificate, then you will receive a dialog that states the reason why. For example, if your Web browser does not possess the issuing CA's root certificate as a trusted root certificate, then you are informed and can choose to trust the server at this time. If you trust the server's certificate (either automatically or manually), then the next step is to authenticate yourself. If your authentication was successful, the BSP appears.
IP Address based persistence usually OK in internet No logon groups No distinction between J2EE and ABAP applications
Contra : Harder to configure Web Dispatcher becomes "trusted component" (secure channel to WebAS needed) Make sure Web Dispatcher does not become performance bottleneck as it needs higher CPU capacity
7. Key points:
We have various scenarios that can be used while implementing Web Dispatcher, the scenario to be chosen comes down to one's requirement of security, performance, cost, effort, etc., Some of the interesting facts about web dispatcher are listed below. Web Dispatcher is a software load balancer and application layer gateway for SAP Web AS Web Dispatcher is not a reverse proxy, not meant to be. As of Netweaver 7.2, it is possible to have single web dispatcher to cater to multiple backend systems, NW 7.2 based Web Dispatcher is backward compatible and supports up to 6.10 Both End-to-End SSL and SSL Termination are available, SSL options to be chosen based on the requirement and by carefully analyzing the hardware and cost involved in setting up the chosen SSL option It is recommended to perform the sizing exercise with the realistic inputs No additional cost involved for license, Web Dispatcher is delivered at free of cost (part of Web AS)
12