Embed Size (px)
Citation preview
Table of Contents:
1. Purpose …………………………………………………………. 1
2. What is Web dispatcher? ...................................................... 1
3. What are the functions of SAP Web dispatcher? …………… 2
4. Architecture of the SAP Web Dispatcher …………………..... 2
5. Server Selection and Load Balancing Using the SAP
Web Dispatcher
5.1. Server Selection …………………………………………..... 3
5.2. Load Balancing …………………………………………....... 5
6. Configuring the SAP Web Dispatcher to Support SSL
6.1. Passing the SSL Connection ……………………………...… 6
6.2. Terminating the SSL Connection ……………………………. 6
6.3. Procedure
6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL
Connection to the Backend Server ………………..........7
6.3.2. Configuring the SAP Web Dispatcher to Terminate
The SSL Connection …………………………....……. 7
6.4. Pros and cons of End-to-End SSL / SSL-Termination
6.4.1. Web Dispatcher in End-To-End SSL mode ……………… 11
6.4.2. Web Dispatcher in SSL Termination mode ………...……. 12
7. Key points …………………………………………………...…. 12
1
1. Purpose:
This paper is intended to introduce Web Dispatcher and give detailed
information on the associated advantages, implementation scenarios and SSL
options.
In general, below are the few questions those arise from the customer when
they are looking towards protection / load balancing of an SAP system.
What is SAP Web dispatcher?
What are the functions of SAP Web dispatcher?
Is it technically possible to have a single Web Dispatcher instance to support
multiple backend systems?
How to use the SAP Web Dispatcher to distribute workload across the different
instances of an SAP system?
How to configure the SAP Web Dispatcher to Support SSL?
2. What is Web dispatcher?
Just assume that your company offers its customers browser-based access
to data from SAP systems. Technically, the Web applications in ABAP and Java
are implemented on the SAP NetWeaver AS. Since a very large number of your
customers use this service, your SAP system, which is connected to the Internet,
has multiple instances. In this scenario how will you implement load distribution
across the different instances of this SAP system? Answer is very simple: Web
dispatcher.
The SAP Web Dispatcher is an application-level gateway for HTTP requests
to an SAP Web Application Server. The SAP Web Dispatcher is used as a software
Web switch between the Internet and an SAP System. The SAP Web Dispatcher
consists of one or more Web Application Servers. As a result, you have only one
point of access for HTTP(S) requests in your system. In addition, the SAP Web
Dispatcher balances the load so that the request is always sent to the server with
the highest capacity.
Please note that apart from web dispatcher, web requests can also be
distributed through message server or ICM. However, these have only limited
functionality and some disadvantages and is therefore not recommended by SAP.
SAP web dispatcher is the SAP recommended process/method of
distributing web requests as it has some advantages and additional functionality
2
3. What are the functions of SAP Web dispatcher?
Distribution of requests to both ABAP and Java application instances
Denial of unwanted requests (i.e. Request filtering)
Buffering of web requests
Ensures that customers can access the SAP system via one address
Provides security as it runs in DMZ (Demilitarized zone)
Handles distribution of both http and https requests.
4. Architecture of the SAP Web Dispatcher:
The SAP Web dispatcher is located between the Web client (browser) and your
SAP system that is running the Web application.
3
SAP web dispatcher forwards the incoming requests (HTTP, HTTPS) in turn to
the SAP Web AS of the SAP system. The number of requests that are sent to a
Web AS ABAP depends on its capacity, which depends on the number of
configured dialog work processes. The capacity of a Web AS Java depends on the
number of Server Processes. If the application is stateful, the SAP Web dispatcher
ensures that with the next request, the user is forwarded to the server that is
processing his or her application. To do this, it uses the session cookie with HTTP
connections, and the client IP address with end-to-end SSL.
Furthermore, the SAP Web dispatcher decides whether the incoming request
should be forwarded to an ABAP or Java server.
5. Server Selection and Load Balancing Using the SAP
Web Dispatcher:
5.1. Server Selection:
The SAP Web Dispatcher forwards each incoming HTTP(S) request to an
appropriate SAP NW Application Server for processing, as illustrated in the
following graphic.
4
Process Flow:
● The SAP Web Dispatcher first checks whether the request is an ABAP or J2EE
request. This distinction is based on the analysis of the URL prefix. For the URL
http://portal.mindtree.com/A/B/C/Default.html, the prefix to be analyzed is the
character string /A/B/C/. If this prefix is known in the ICF, this is an ABAP
request. If the URL contains only one forward slash (/) after the host name,
special handling is required: The value of the profile parameter
is/HTTP/default_root_hdl determines the destination.
● In the case of an ABAP request, the SAP Web Dispatcher first uses a cookie to
identify whether the request concerns a stateful application. If this exists, the
decision is simple. The request is sent to the application server that is
processing this session.For a stateless application, the internal group !DIAG is
selected, which consists of all ABAP application servers. This is used only if a
5
logon group (maintained with transaction SMLG) is inherited or specified
explicitly in the ICF service.
● AS Java also recognizes the concept of logon groups. If a specific logon group
has not been configured for the prefix of the Java request called, the SAP Web
Dispatcher uses the internal group !J2EE. In the case of a stateful application,
this is indicated through the session information in the URL or a load-balancing
cookie. For compatibility reasons, the session cookie jsessionid can also still
be used here.
● The SAP Web Dispatcher obtains information about the logon groups and URL
mapping from an ABAP application server via HTTP or HTTPS. For this to
happen, the services /sap/public/icman and /sap/public/icf_info/* must be
activated in the ICF.
5.2. Load Balancing:
One of the basic functionality of web dispatcher is that, it can help to balance
the load between the application servers. Web Dispatcher does not establish
connectivity directly with the application servers, rather it will establish the
connectivity to Message Server to ensure the load is balanced across application
servers.
The SAP Web Dispatcher obtains information about the application servers
of the SAP system from the message server via HTTP(S). You can use the SAP
Web Dispatcher in pure ABAP systems as well as in combined ABAP + Java
systems and pure Java systems. In this way, the installation option determines the
message server with which the SAP Web Dispatcher communicates.
6
6. Configuring the SAP Web Dispatcher to Support SSL:
If you are using a stand-alone SAP Web Dispatcher in front of the SAP Web
AS, then use the procedures below to configure the SAP Web Dispatcher to
support SSL. The SAP Web Dispatcher can either pass the SSL connection to the
server in the backend, or it can terminate the SSL connection. See the graphics
below.
6.1. Passing the SSL Connection:
6.2. Terminating the SSL Connection:
7
6.3. Procedure:
6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL Connection
to the Backend Server:
If the SAP Web Dispatcher is to pass the SSL connection to the
server in the backend, then, in addition to the standard parameters, set
the following profile parameter in the SAP Web Dispatcher’s profile:
icm/server_port_<xx>=PROT=ROUTER,PORT=<port>,TIMEOUT=<timeout_in_seconds>
6.3.2. Configuring the SAP Web Dispatcher to Terminate the SSL
Connection
If the SAP Web Dispatcher is to terminate the SSL connection, then it must
possess a security environment. To set up this security environment, perform the
following:
A. Install the SAP Cryptographic Library on the SAP Web Dispatcher.
Download the SAP Cryptographic software from the market place, UNCAR the files using SAPCAR.
Extract the contents of the SAP Cryptographic Library installation
package.
Copy the library file and the configuration tool sapgenpse.exe to a local
directory, for example, the directory where the SAP Web Dispatcher is
located. For this documentation, we will use the directory C:\Program
Files\SAP\SAPWebDisp.
Check the file permissions for the SAP Cryptographic Library. If, for
example, you copied the library to its location using ftp on UNIX, then
the file permissions may not be set correctly. Make sure that the user
that runs the SAP Web Dispatcher is able to execute the library's
functions.
Create a sub-directory called sec and copy the ticket file to this
directory. This is also the directory where the SAP Web Dispatcher’s
PSEs and credentials are to be located.
Location of the SAP Cryptographic Library
C:\Program Files\SAP\SAPWebDisp\sapcrypto.dll
8
Location of the Configuration Tool sapgenpse
C:\Program Files\SAP\SAPWebDisp\sapgenpse.exe
Location of the License Ticket
C:\Program Files\SAP\SAPWebDisp\sec\ticket
B. Set the profile parameters.
Make the below entries in the instance profile:
---------------------------------------------------------------------------------
SAPSYSTEMNAME = XYZ
# SAPSYSTEM must be set so that the shared memory areas
# can be created.
# The number must be different from the other SAP instances
# on the host.
SAPSYSTEM = 26
# Set DIR_INSTANCE so that the SAP Cryptographic Library can
# find the sec sub-directory.
DIR_INSTANCE = C:\Program Files\SAP\SAPWebDisp
# Message Server Description
rdisp/mshost = xyzmain
ms/http_port = 8000
ms/https_port = 443
# Description of the Access Points
icm/server_port_0 = PROT=HTTP, PORT=1081, TIMEOUT=900
icm/server_port_1 = PROT=HTTPS, PORT=443, TIMEOUT=900
icm/HTTPS/verify_client = 0
# Parameters for the SAP Cryptographic Library
ssl/ssl_lib = C:\Program Files\SAP\SAPWebDisp\sapcrypto.dll
ssl/server_pse = C:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse
# Parameters for Using SSL to the backend server
wdisp/ssl_encrypt = 2
wdisp/ssl_auth = 2
wdisp/ssl_cred = SAPSSLC.pse
wdisp/ssl_certhost = www.test.com
---------------------------------------------------------------------------------
9
C. Create the SAP Web Dispatcher’s PSE(s) and certificate request(s).
i. Creating the SAP Web Dispatcher’s PSEs Using the Trust Manager
To create each PSE (SSL server PSE and SSL client PSE), using the
trust manager:
Start the trust manager (transaction STRUST).
Using the context menu for the File node, choose Create (RSA).
The Create PSE dialog appears.
Enter the Distinguished Name parts in the corresponding fields according to your CA’s naming convention.
Save the PSE to local file (for example, the Web Dispatcher’s SECUDIR directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively.
ii. Creating the SAP Web Dispatcher’s PSEs and Certificate Requests Using SAPGENPSE
As an alternative, you can use the configuration tool sapgenpse to create the SAP Web Dispatcher’s PSEs.
Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, then set it using the command line as shown below.
set SECUDIR=<SECUDIR_directory>
Use the tool’s command get_pse as shown below to create the SAP Web Dispatcher’s PSE.
sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name>
Where:
-p: Path and file name for the PSE.If the complete path is not included, then the PSE file is created in the SECUDIR directory.
-r: File name for the certificate request
-x: PIN that protects the PSE
10
D. Send the certificate request(s) to a CA to be signed.
For each certificate request that you created, send the contents of the
certificate request to your CA. The CA will validate the information contained
in the certificate request (according to its own policy) and return a response
that contains the signed public-key certificate.
E. Import the certificate request response(s) into the PSE.
i. Importing the Certificate Request Response Using the Trust Manager
If you used the trust manager to create the SAP Web Dispatcher’s PSE,
then you can easily use it again to import the certificate request
response. For each of the PSEs that you created, perform the following:
If the certificate request dialog is still open, then close it.
If the SAP Web Dispatcher’s PSE is not loaded in the PSE maintenance
section, then load it by selecting the File node with a double-click and
selecting the PSE from the file system.
In the PSE maintenance section, choose Import Cert. Response. The
dialog for the certificate response appears.
Insert the contents of the certificate request response into the dialog’s
text box either using Copy&Paste or by loading the file from the file
system.The signed public-key certificate is imported into the SAP Web
Dispatcher’s PSE, which is displayed in the PSE maintenance section.
You can view the certificate by selecting it with a double-click. The
certificate information is then shown in the certificate maintenance
section.
Create a PIN for the PSE.
ii. Importing the Certificate Request Response Using SAPGENPSE
As an alternative, you can use the configuration tool sapgenpse to import
the certificate request response into the PSEs. Use the tool’s command
import_own_cert as shown below.
sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c
<Cert_file> [-r <RootCA_cert_file>] -x <PIN>
Where
-p: Path and file name of the PSE.
-c: Path and file name of the certificate request respons
-r: File containing the CA’s root certificate
-x: PIN that protects the PSE
11
F. Create credentials for the SAP Web Dispatcher.
Use the following command line to open each PSE and create credentials.
sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O
[<Windows_Domain>\]<user_ID>
Where:
-p: Path and file name for the PSE.
-x: PIN that protects the PSE
-O: User for which the credentials are created. (The user that runs the SAP
Web Dispatcher process.)
G. Restart the SAP Web Dispatcher.
H. Test the connection.
Start a BSP using an HTTPS connection to your SAP Web Dispatcher
and the corresponding SSL port.
If your Web browser cannot completely verify the SAP Web Dispatcher's
public-key certificate, then you will receive a dialog that states the reason
why. For example, if your Web browser does not possess the issuing CA's
root certificate as a trusted root certificate, then you are informed and can
choose to trust the server at this time.
If you trust the server's certificate (either automatically or manually), then
the next step is to authenticate yourself.
If your authentication was successful, the BSP appears.
6.4. Pros and cons of End-to-End SSL / SSL-Termination:
SSL is required in case of any need to protect the business data such as
user credentials (e.g. passwords) and data security. It basically encrypts
entire communication between browser and server.
6.4.1. Web Dispatcher in End-To-End SSL mode:
Pro :
Client authentication with X.509 certificates
End-to-End data security
Load balancer is "untrusted" component
Contra :
Persistence based on client IP address only
Load balancing problems :
Proxies
End of Session
12
IP Address based persistence usually OK in internet
No logon groups
No distinction between J2EE and ABAP applications
6.4.2. Web Dispatcher in SSL Termination mode :
Pro :
Persistence based on application session ID
Logon groups
Detection of application type (ABAP/J2EE), select correct server
Request parsing and URL filtering
SSL re-encryption is possible
Contra :
Harder to configure
Web Dispatcher becomes "trusted component" (secure channel to WebAS needed)
Make sure Web Dispatcher does not become performance bottleneck as it needs higher CPU capacity
7. Key points:
We have various scenarios that can be used while implementing Web Dispatcher, the scenario to be chosen comes down to one's requirement of security, performance, cost, effort, etc., Some of the interesting facts about web dispatcher are listed below.
Web Dispatcher is a software load balancer and application layer gateway for SAP Web AS
Web Dispatcher is not a reverse proxy, not meant to be.
As of Netweaver 7.2, it is possible to have single web dispatcher to cater to multiple backend systems, NW 7.2 based Web Dispatcher is backward compatible and supports up to 6.10
Both End-to-End SSL and SSL Termination are available, SSL options to be chosen based on the requirement and by carefully analyzing the hardware and cost involved in setting up the chosen SSL option
It is recommended to perform the sizing exercise with the realistic inputs
No additional cost involved for license, Web Dispatcher is delivered at free of cost (part of Web AS)
