Embed Size (px)
DESCRIPTION
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Citation preview
Generated by Jive SBS on 2011-03-14+01001
Fully Qualified Domain Names (FQDN) (SAPLibrary - Web Dynpro ABAP Configuration)
In Web Dynpro ABAP it is imperative that a client browser with a fully qualified domainname (FQDN) has access to the AS-ABAP For this reason the full URL must be assignedto a Web Dynpro ABAP application when it is called The URL must not be shortened (forinstance no domain specification)
The domain used must also satisfy the requirements of the cookie specification (see httpwpnetscapecomnewsrefstdcookie_spechtml)
To check the FQDN in the Web Dynpro explorer in the ABAP development environment(SE80) choose the relevant Web Dynpro application from the navigation tree for your WebDynpro componentinterface and check the URL in the administration data Check whetherthe path details in the URL field also contain the full domain and host name
Note that neitherIP addressesnor underscorecharacters areallowed in hostnames (see below)
More informationSAP Note 654982
Purpose
FQDNs are necessary for the following reasons
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01002
bull One domain is required with which cookies can be set domain-wide for instanceSSO2 cookies
bull Domain relaxation code is required for cross-frame JavaScript
This is particularly important forportal
integration (see below)bull In an HTTPS environment client and server names must correspond to each other
for certificates and for the SSL protocol
Note that the domain in which the AS ABAP is run is not necessarily the FQDN used toaccess the AS ABAP from the browser A typical example is an AS ABAP that runs both inthe Intranet and in the Internet In a case like this the FQDN is determined by the position ofthe browser relative to the AS ABAP and not by the AS ABAP itself
Configuration of Fully Qualified Domain Names
If the host name simply specifies the host and port but not the domain (including theextension) the shortened URL of a Web application looks like
ltschemagtlthostnamegtltportgtsap
Example
httppwdf04871080sapbcwebdynprosapwdr_test_events
Whereas the full URL should look like
ltschemagtlthostnamegtltdomaingt
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01003
ltextensiongtltportgtsap
Example
httppwdf0487wdfsap-agde1080sapbcwebdynprosapwdr_test_events
IP Addresses Not Supported
URLs that contain IP addresses are not supported
ltschemagtltIPaddressgtltportgtsap
Example
http10218101080sapbcwebdynprosapxyz
The following notation is required
ltschemagtlthostnamegtltdomaingtltextensiongtltportgtsap
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01004
Example
httphs0059iwdfsapcorp1080sapbcwebdynprosapxyz
To map IP addresses correctly the following is required
bull A minimal form of DNS at the customer location with the name of the AS-ABAP anda mapping to an IP address
bull Alternatively a pseudo AS-ABAP name can be used and the HTTP proxyconfigured at the firewall in such a way that this URL is sent to the correct IPaddress
bull For smaller installations you can use the following quick solution
Update the hosts file on each workstation Insert the line101773210 hostnamedomainext into file WINNTsystem32driversetchosts
No Support for _ in Host Names
The browser does not accept cookies if a host name contains the underscore character _
Since Microsoft Internet Explorer 60 and MS Internet Explorer 55 including security patchMS01-055 cannot accept any domain names with underscore characters session cookiescannot be saved This will result in terminations when navigating within a Web application
Example
The developmentsystem is calleddev_sys and thequality securitysystem qsys Thismeans the fully
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01005
qualified domainname is
qsyscompanycoxx
The followingnotation is notaccepted
dev_syscompanycoxx
qsysmy_companycoxx
For this reason host and domain names must never contain the underscore character _
Domain Restrictions in Accordance with the Cookie Specification
The portal must be started with a domain that complies with the domain specification of theInternet standard cookie specification Otherwise the portal cannot create the MYSAPSSO2cookie
So that the browser can decide which servers a cookie can be sent to the URL mustcontain the domain specification since the decision is based on this information Inaccordance with the Netscape cookie specification (available at httpwpnetscapecomnewsrefstdcookie_spechtml) cookies can be set for one domain only and a domainmust contain two or three dots () due to security restrictions Each of the seven top leveldomains (COMEDUNETORGGOVMILINT) must contain at least one further domaincomponent (usually the name of the company or organization) amounting to two dots Eachdomain with a different ending (this includes the top level domains for countries such as UKDE FR and so on) must consist of two further domain components that is these domainsmust contain at least three dots For more information see the cookie specification
Examples of validdomains
bull lthostgtsapcom
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01006
Top level domain -gt two domain componentsbull lthostgtportalsapde
No top level domain -gt three domain components
Some browsers (for instance Microsoft Internet Explorer) are less strict and permit domainsthat violate the cookie specification rules listed above
The Internet Explorer would allow the following domain
lthostgtsapde
This is not a toplevel domain yet itonly has two domaincomponents
Domains appear to be accepted whose penultimate component consists of at least threecharacters because otherwise there would be problems for instance with all Britishdomains due to there being insufficient restrictions on how cookies are sent
Examples
URL Description
httpwwwxycom Compliant with specification
httpwwwxycouk Compliant with specification
httplthostgtepdde For MS IE ok
httpwwwsapde For MS IE ok
httplthostgtepde For MS IE not ok
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01007
httpwwwcouk Not ok (compliant with specification)
SAP generallyrecommends thatyou always complywith the definitionsof the cookiespecifications
HTTPS
The use of SSL (with HTTPS) as well as ensuring encrypted data transfer should alsoensure that the server being contacted (for example a company or organization) isauthentic This is done using SSL server certificates For each HTTPS URL the browserchecks whether the full host name contained in the URL corresponds to the relevantspecification (such as common name CN) in the checked SSL server certificate If thebrowser ascertains a difference it triggers an error warning
Examples
The SSL server certificate was issued on CN=tcsmysapcom OU=SAP Trust CommunityO=SAP AG L=Walldorf C=DE The following URLs are checked
URL DescriptionBehavior
httptcsmysapcom No SSLHTTPS
httpstcsmysapcom Compliant with specification
httpstcs01mysapcom Warningerror
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error A certification authority (CA) however usually establishes its own rulesfor components that it issues and for verified certificates The use of wildcards () in thecommon name is generally not permitted
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01002
bull One domain is required with which cookies can be set domain-wide for instanceSSO2 cookies
bull Domain relaxation code is required for cross-frame JavaScript
This is particularly important forportal
integration (see below)bull In an HTTPS environment client and server names must correspond to each other
for certificates and for the SSL protocol
Note that the domain in which the AS ABAP is run is not necessarily the FQDN used toaccess the AS ABAP from the browser A typical example is an AS ABAP that runs both inthe Intranet and in the Internet In a case like this the FQDN is determined by the position ofthe browser relative to the AS ABAP and not by the AS ABAP itself
Configuration of Fully Qualified Domain Names
If the host name simply specifies the host and port but not the domain (including theextension) the shortened URL of a Web application looks like
ltschemagtlthostnamegtltportgtsap
Example
httppwdf04871080sapbcwebdynprosapwdr_test_events
Whereas the full URL should look like
ltschemagtlthostnamegtltdomaingt
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01003
ltextensiongtltportgtsap
Example
httppwdf0487wdfsap-agde1080sapbcwebdynprosapwdr_test_events
IP Addresses Not Supported
URLs that contain IP addresses are not supported
ltschemagtltIPaddressgtltportgtsap
Example
http10218101080sapbcwebdynprosapxyz
The following notation is required
ltschemagtlthostnamegtltdomaingtltextensiongtltportgtsap
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01004
Example
httphs0059iwdfsapcorp1080sapbcwebdynprosapxyz
To map IP addresses correctly the following is required
bull A minimal form of DNS at the customer location with the name of the AS-ABAP anda mapping to an IP address
bull Alternatively a pseudo AS-ABAP name can be used and the HTTP proxyconfigured at the firewall in such a way that this URL is sent to the correct IPaddress
bull For smaller installations you can use the following quick solution
Update the hosts file on each workstation Insert the line101773210 hostnamedomainext into file WINNTsystem32driversetchosts
No Support for _ in Host Names
The browser does not accept cookies if a host name contains the underscore character _
Since Microsoft Internet Explorer 60 and MS Internet Explorer 55 including security patchMS01-055 cannot accept any domain names with underscore characters session cookiescannot be saved This will result in terminations when navigating within a Web application
Example
The developmentsystem is calleddev_sys and thequality securitysystem qsys Thismeans the fully
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01005
qualified domainname is
qsyscompanycoxx
The followingnotation is notaccepted
dev_syscompanycoxx
qsysmy_companycoxx
For this reason host and domain names must never contain the underscore character _
Domain Restrictions in Accordance with the Cookie Specification
The portal must be started with a domain that complies with the domain specification of theInternet standard cookie specification Otherwise the portal cannot create the MYSAPSSO2cookie
So that the browser can decide which servers a cookie can be sent to the URL mustcontain the domain specification since the decision is based on this information Inaccordance with the Netscape cookie specification (available at httpwpnetscapecomnewsrefstdcookie_spechtml) cookies can be set for one domain only and a domainmust contain two or three dots () due to security restrictions Each of the seven top leveldomains (COMEDUNETORGGOVMILINT) must contain at least one further domaincomponent (usually the name of the company or organization) amounting to two dots Eachdomain with a different ending (this includes the top level domains for countries such as UKDE FR and so on) must consist of two further domain components that is these domainsmust contain at least three dots For more information see the cookie specification
Examples of validdomains
bull lthostgtsapcom
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01006
Top level domain -gt two domain componentsbull lthostgtportalsapde
No top level domain -gt three domain components
Some browsers (for instance Microsoft Internet Explorer) are less strict and permit domainsthat violate the cookie specification rules listed above
The Internet Explorer would allow the following domain
lthostgtsapde
This is not a toplevel domain yet itonly has two domaincomponents
Domains appear to be accepted whose penultimate component consists of at least threecharacters because otherwise there would be problems for instance with all Britishdomains due to there being insufficient restrictions on how cookies are sent
Examples
URL Description
httpwwwxycom Compliant with specification
httpwwwxycouk Compliant with specification
httplthostgtepdde For MS IE ok
httpwwwsapde For MS IE ok
httplthostgtepde For MS IE not ok
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01007
httpwwwcouk Not ok (compliant with specification)
SAP generallyrecommends thatyou always complywith the definitionsof the cookiespecifications
HTTPS
The use of SSL (with HTTPS) as well as ensuring encrypted data transfer should alsoensure that the server being contacted (for example a company or organization) isauthentic This is done using SSL server certificates For each HTTPS URL the browserchecks whether the full host name contained in the URL corresponds to the relevantspecification (such as common name CN) in the checked SSL server certificate If thebrowser ascertains a difference it triggers an error warning
Examples
The SSL server certificate was issued on CN=tcsmysapcom OU=SAP Trust CommunityO=SAP AG L=Walldorf C=DE The following URLs are checked
URL DescriptionBehavior
httptcsmysapcom No SSLHTTPS
httpstcsmysapcom Compliant with specification
httpstcs01mysapcom Warningerror
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error A certification authority (CA) however usually establishes its own rulesfor components that it issues and for verified certificates The use of wildcards () in thecommon name is generally not permitted
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01003
ltextensiongtltportgtsap
Example
httppwdf0487wdfsap-agde1080sapbcwebdynprosapwdr_test_events
IP Addresses Not Supported
URLs that contain IP addresses are not supported
ltschemagtltIPaddressgtltportgtsap
Example
http10218101080sapbcwebdynprosapxyz
The following notation is required
ltschemagtlthostnamegtltdomaingtltextensiongtltportgtsap
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01004
Example
httphs0059iwdfsapcorp1080sapbcwebdynprosapxyz
To map IP addresses correctly the following is required
bull A minimal form of DNS at the customer location with the name of the AS-ABAP anda mapping to an IP address
bull Alternatively a pseudo AS-ABAP name can be used and the HTTP proxyconfigured at the firewall in such a way that this URL is sent to the correct IPaddress
bull For smaller installations you can use the following quick solution
Update the hosts file on each workstation Insert the line101773210 hostnamedomainext into file WINNTsystem32driversetchosts
No Support for _ in Host Names
The browser does not accept cookies if a host name contains the underscore character _
Since Microsoft Internet Explorer 60 and MS Internet Explorer 55 including security patchMS01-055 cannot accept any domain names with underscore characters session cookiescannot be saved This will result in terminations when navigating within a Web application
Example
The developmentsystem is calleddev_sys and thequality securitysystem qsys Thismeans the fully
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01005
qualified domainname is
qsyscompanycoxx
The followingnotation is notaccepted
dev_syscompanycoxx
qsysmy_companycoxx
For this reason host and domain names must never contain the underscore character _
Domain Restrictions in Accordance with the Cookie Specification
The portal must be started with a domain that complies with the domain specification of theInternet standard cookie specification Otherwise the portal cannot create the MYSAPSSO2cookie
So that the browser can decide which servers a cookie can be sent to the URL mustcontain the domain specification since the decision is based on this information Inaccordance with the Netscape cookie specification (available at httpwpnetscapecomnewsrefstdcookie_spechtml) cookies can be set for one domain only and a domainmust contain two or three dots () due to security restrictions Each of the seven top leveldomains (COMEDUNETORGGOVMILINT) must contain at least one further domaincomponent (usually the name of the company or organization) amounting to two dots Eachdomain with a different ending (this includes the top level domains for countries such as UKDE FR and so on) must consist of two further domain components that is these domainsmust contain at least three dots For more information see the cookie specification
Examples of validdomains
bull lthostgtsapcom
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01006
Top level domain -gt two domain componentsbull lthostgtportalsapde
No top level domain -gt three domain components
Some browsers (for instance Microsoft Internet Explorer) are less strict and permit domainsthat violate the cookie specification rules listed above
The Internet Explorer would allow the following domain
lthostgtsapde
This is not a toplevel domain yet itonly has two domaincomponents
Domains appear to be accepted whose penultimate component consists of at least threecharacters because otherwise there would be problems for instance with all Britishdomains due to there being insufficient restrictions on how cookies are sent
Examples
URL Description
httpwwwxycom Compliant with specification
httpwwwxycouk Compliant with specification
httplthostgtepdde For MS IE ok
httpwwwsapde For MS IE ok
httplthostgtepde For MS IE not ok
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01007
httpwwwcouk Not ok (compliant with specification)
SAP generallyrecommends thatyou always complywith the definitionsof the cookiespecifications
HTTPS
The use of SSL (with HTTPS) as well as ensuring encrypted data transfer should alsoensure that the server being contacted (for example a company or organization) isauthentic This is done using SSL server certificates For each HTTPS URL the browserchecks whether the full host name contained in the URL corresponds to the relevantspecification (such as common name CN) in the checked SSL server certificate If thebrowser ascertains a difference it triggers an error warning
Examples
The SSL server certificate was issued on CN=tcsmysapcom OU=SAP Trust CommunityO=SAP AG L=Walldorf C=DE The following URLs are checked
URL DescriptionBehavior
httptcsmysapcom No SSLHTTPS
httpstcsmysapcom Compliant with specification
httpstcs01mysapcom Warningerror
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error A certification authority (CA) however usually establishes its own rulesfor components that it issues and for verified certificates The use of wildcards () in thecommon name is generally not permitted
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01004
Example
httphs0059iwdfsapcorp1080sapbcwebdynprosapxyz
To map IP addresses correctly the following is required
bull A minimal form of DNS at the customer location with the name of the AS-ABAP anda mapping to an IP address
bull Alternatively a pseudo AS-ABAP name can be used and the HTTP proxyconfigured at the firewall in such a way that this URL is sent to the correct IPaddress
bull For smaller installations you can use the following quick solution
Update the hosts file on each workstation Insert the line101773210 hostnamedomainext into file WINNTsystem32driversetchosts
No Support for _ in Host Names
The browser does not accept cookies if a host name contains the underscore character _
Since Microsoft Internet Explorer 60 and MS Internet Explorer 55 including security patchMS01-055 cannot accept any domain names with underscore characters session cookiescannot be saved This will result in terminations when navigating within a Web application
Example
The developmentsystem is calleddev_sys and thequality securitysystem qsys Thismeans the fully
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01005
qualified domainname is
qsyscompanycoxx
The followingnotation is notaccepted
dev_syscompanycoxx
qsysmy_companycoxx
For this reason host and domain names must never contain the underscore character _
Domain Restrictions in Accordance with the Cookie Specification
The portal must be started with a domain that complies with the domain specification of theInternet standard cookie specification Otherwise the portal cannot create the MYSAPSSO2cookie
So that the browser can decide which servers a cookie can be sent to the URL mustcontain the domain specification since the decision is based on this information Inaccordance with the Netscape cookie specification (available at httpwpnetscapecomnewsrefstdcookie_spechtml) cookies can be set for one domain only and a domainmust contain two or three dots () due to security restrictions Each of the seven top leveldomains (COMEDUNETORGGOVMILINT) must contain at least one further domaincomponent (usually the name of the company or organization) amounting to two dots Eachdomain with a different ending (this includes the top level domains for countries such as UKDE FR and so on) must consist of two further domain components that is these domainsmust contain at least three dots For more information see the cookie specification
Examples of validdomains
bull lthostgtsapcom
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01006
Top level domain -gt two domain componentsbull lthostgtportalsapde
No top level domain -gt three domain components
Some browsers (for instance Microsoft Internet Explorer) are less strict and permit domainsthat violate the cookie specification rules listed above
The Internet Explorer would allow the following domain
lthostgtsapde
This is not a toplevel domain yet itonly has two domaincomponents
Domains appear to be accepted whose penultimate component consists of at least threecharacters because otherwise there would be problems for instance with all Britishdomains due to there being insufficient restrictions on how cookies are sent
Examples
URL Description
httpwwwxycom Compliant with specification
httpwwwxycouk Compliant with specification
httplthostgtepdde For MS IE ok
httpwwwsapde For MS IE ok
httplthostgtepde For MS IE not ok
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01007
httpwwwcouk Not ok (compliant with specification)
SAP generallyrecommends thatyou always complywith the definitionsof the cookiespecifications
HTTPS
The use of SSL (with HTTPS) as well as ensuring encrypted data transfer should alsoensure that the server being contacted (for example a company or organization) isauthentic This is done using SSL server certificates For each HTTPS URL the browserchecks whether the full host name contained in the URL corresponds to the relevantspecification (such as common name CN) in the checked SSL server certificate If thebrowser ascertains a difference it triggers an error warning
Examples
The SSL server certificate was issued on CN=tcsmysapcom OU=SAP Trust CommunityO=SAP AG L=Walldorf C=DE The following URLs are checked
URL DescriptionBehavior
httptcsmysapcom No SSLHTTPS
httpstcsmysapcom Compliant with specification
httpstcs01mysapcom Warningerror
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error A certification authority (CA) however usually establishes its own rulesfor components that it issues and for verified certificates The use of wildcards () in thecommon name is generally not permitted
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01005
qualified domainname is
qsyscompanycoxx
The followingnotation is notaccepted
dev_syscompanycoxx
qsysmy_companycoxx
For this reason host and domain names must never contain the underscore character _
Domain Restrictions in Accordance with the Cookie Specification
The portal must be started with a domain that complies with the domain specification of theInternet standard cookie specification Otherwise the portal cannot create the MYSAPSSO2cookie
So that the browser can decide which servers a cookie can be sent to the URL mustcontain the domain specification since the decision is based on this information Inaccordance with the Netscape cookie specification (available at httpwpnetscapecomnewsrefstdcookie_spechtml) cookies can be set for one domain only and a domainmust contain two or three dots () due to security restrictions Each of the seven top leveldomains (COMEDUNETORGGOVMILINT) must contain at least one further domaincomponent (usually the name of the company or organization) amounting to two dots Eachdomain with a different ending (this includes the top level domains for countries such as UKDE FR and so on) must consist of two further domain components that is these domainsmust contain at least three dots For more information see the cookie specification
Examples of validdomains
bull lthostgtsapcom
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01006
Top level domain -gt two domain componentsbull lthostgtportalsapde
No top level domain -gt three domain components
Some browsers (for instance Microsoft Internet Explorer) are less strict and permit domainsthat violate the cookie specification rules listed above
The Internet Explorer would allow the following domain
lthostgtsapde
This is not a toplevel domain yet itonly has two domaincomponents
Domains appear to be accepted whose penultimate component consists of at least threecharacters because otherwise there would be problems for instance with all Britishdomains due to there being insufficient restrictions on how cookies are sent
Examples
URL Description
httpwwwxycom Compliant with specification
httpwwwxycouk Compliant with specification
httplthostgtepdde For MS IE ok
httpwwwsapde For MS IE ok
httplthostgtepde For MS IE not ok
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01007
httpwwwcouk Not ok (compliant with specification)
SAP generallyrecommends thatyou always complywith the definitionsof the cookiespecifications
HTTPS
The use of SSL (with HTTPS) as well as ensuring encrypted data transfer should alsoensure that the server being contacted (for example a company or organization) isauthentic This is done using SSL server certificates For each HTTPS URL the browserchecks whether the full host name contained in the URL corresponds to the relevantspecification (such as common name CN) in the checked SSL server certificate If thebrowser ascertains a difference it triggers an error warning
Examples
The SSL server certificate was issued on CN=tcsmysapcom OU=SAP Trust CommunityO=SAP AG L=Walldorf C=DE The following URLs are checked
URL DescriptionBehavior
httptcsmysapcom No SSLHTTPS
httpstcsmysapcom Compliant with specification
httpstcs01mysapcom Warningerror
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error A certification authority (CA) however usually establishes its own rulesfor components that it issues and for verified certificates The use of wildcards () in thecommon name is generally not permitted
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01006
Top level domain -gt two domain componentsbull lthostgtportalsapde
No top level domain -gt three domain components
Some browsers (for instance Microsoft Internet Explorer) are less strict and permit domainsthat violate the cookie specification rules listed above
The Internet Explorer would allow the following domain
lthostgtsapde
This is not a toplevel domain yet itonly has two domaincomponents
Domains appear to be accepted whose penultimate component consists of at least threecharacters because otherwise there would be problems for instance with all Britishdomains due to there being insufficient restrictions on how cookies are sent
Examples
URL Description
httpwwwxycom Compliant with specification
httpwwwxycouk Compliant with specification
httplthostgtepdde For MS IE ok
httpwwwsapde For MS IE ok
httplthostgtepde For MS IE not ok
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01007
httpwwwcouk Not ok (compliant with specification)
SAP generallyrecommends thatyou always complywith the definitionsof the cookiespecifications
HTTPS
The use of SSL (with HTTPS) as well as ensuring encrypted data transfer should alsoensure that the server being contacted (for example a company or organization) isauthentic This is done using SSL server certificates For each HTTPS URL the browserchecks whether the full host name contained in the URL corresponds to the relevantspecification (such as common name CN) in the checked SSL server certificate If thebrowser ascertains a difference it triggers an error warning
Examples
The SSL server certificate was issued on CN=tcsmysapcom OU=SAP Trust CommunityO=SAP AG L=Walldorf C=DE The following URLs are checked
URL DescriptionBehavior
httptcsmysapcom No SSLHTTPS
httpstcsmysapcom Compliant with specification
httpstcs01mysapcom Warningerror
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error A certification authority (CA) however usually establishes its own rulesfor components that it issues and for verified certificates The use of wildcards () in thecommon name is generally not permitted
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01007
httpwwwcouk Not ok (compliant with specification)
SAP generallyrecommends thatyou always complywith the definitionsof the cookiespecifications
HTTPS
The use of SSL (with HTTPS) as well as ensuring encrypted data transfer should alsoensure that the server being contacted (for example a company or organization) isauthentic This is done using SSL server certificates For each HTTPS URL the browserchecks whether the full host name contained in the URL corresponds to the relevantspecification (such as common name CN) in the checked SSL server certificate If thebrowser ascertains a difference it triggers an error warning
Examples
The SSL server certificate was issued on CN=tcsmysapcom OU=SAP Trust CommunityO=SAP AG L=Walldorf C=DE The following URLs are checked
URL DescriptionBehavior
httptcsmysapcom No SSLHTTPS
httpstcsmysapcom Compliant with specification
httpstcs01mysapcom Warningerror
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error
With an SSL server certificate issued on CN=mysapcom all the URLs listed abovereturn an error A certification authority (CA) however usually establishes its own rulesfor components that it issues and for verified certificates The use of wildcards () in thecommon name is generally not permitted
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01008
When you use SSLterminating reverseproxies (in front ofthe Web ServerAS-ABAP) makesure that the SSLserver certificate ofthe reverse proxycorresponds to thehost name of thereverse proxy thatis visible for thebrowser
For more informationabout securitysee SAP WebApplication ServerSecurity (ABAP)
Setting the FQDN
The following variables and parameters are used to set the host and domain names
bull SAPLOCALHOSTbull SAPLOCALHOSTFULLbull icmhost_name_full
The ICM sets the FQHN in accordance with the hierarchy below
1 The SAPLOCALHOSTFULL parameter in the SAP profile (recommended for highavailability configurations) has top priority If it is set in the profile file the ICM takes this asthe FQHN value
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
Fully Qualified Domain Names (FQDN) (SAP Library - Web Dynpro ABAP Configuration)
Generated by Jive SBS on 2011-03-14+01009
Note that the system default value of SAPLOCALHOSTFULL contains the host namewithout the domain which is why the ICM ignores the system default
2 If the parameter is not set the value in icmhost_name_full is used
Set the value i icmhost_name_full = $(SAPLOCALHOST)domainext
This is particularly suitable for situations where multiple application servers are operatingwith one instance profile
3 If this parameter is also not set the ICM takes the FQHN of the operating system
The SAPLOCALHOST parameter is not fully qualified and is not used by the ICM forservices
SAP recommends that you set either SAPLOCALHOSTFULL (for high availabilityconfigurations) or icmhost_name_full
