Certificate Revocation on SAP Web Dispatcher
We have recently set up X.509 Certificate based authentication. The SSL handshake is performed by the Web Dispatcher. Requests are forwarded to SAP Netwewaver 2004s Portal with the certificate in the header field. All of this works "as advertised". Certificates are created by an OpenSSL based CA with the proper extensions and are mapped to UME accounts.
Now we want add the ability to revoke certificates. One reason is, that even if a certificate is no longer mapped to an account, the Portal will still allow the user to log in and use the certificate. The certificate is not stored in the UME, but for the time of the session it looks as if the user did authenticate with a certificate.
We have added the CRL distribtion point extension ot a certificate. We can see that the CRL is downloaded from this site. It shows up in the certificate revocation service page. However, all revoked certificates still work.
The same CRL works correctly on an Apache test server. Here a revoked client certificate will already cause the SSL handshake to fail.
Does it help us to have the CRL installed to the Portal server? Or is it necessary to set up revocation on the Web Dispatcher? Does the Web Dispatcher support certificate revocation at all? If yes, where does it get the CRL from? Does the CRL have to meet certain requirements in addition to the ones defined in RFC 3280?
>
Niels Carstensen wrote:
> OSS ticket is pending.
>
> But if the Web Dispatcher accepted the revoked certificate for the SSL handshake, the Portal will just not authenticate the user. It will, however, allow the user to map the certificate to his account. This even seems to happen, if the CertPersisterLoginModule has been removed from the login stack. So all of a sudden the user can login with username password, and at the same time present the (invalid!) certificate to the applications...
That indeed sounds like a bug - so it was a good idea to submit a support message.
Regards, Wolfgang
PS: I still believe that certificate revocation should be customizable on a per-application level ("application" in this context refers to "usage type": the same certificate might be used for different purposes: SSO, digital signature, encryption, S/MIME, ...). Furthermore, some of the certificate revocation mechanisms have a negative performance impact so they might be used with care. Take the payment card validation as an example: depending on the purchase amount you might be prompted for an online validation (requires to enter your PIN) and sometimes you simply need to sign-off a piece of paper - the decision is up to the shop operator and depends on the related costs (for online validation) which is comparable to "performance impacts" in our case).
Similar Messages
-
SAP Web Dispatcher Configuration (SSL, certificates)
Hi all,
We're trying to configure the SAP Web Dispatcher for the use of SSL (terminated) and client authentication using x.509 certificates. All works (almost)fine. However, there's some strange behavior that I can not explain.
The following access point have been specified in the profile:
Description of the Access Points
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
icm/HTTPS/verify_client = 2
Basicly we only need users to access the web dispatcher using SSL. However, when I remove the line: icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
The Web Dispatcher returns an error upon accessing it using HTTPS:
Dispatching Error
Error: -26
Version: 6040
Component: HTTP_ROUTE
Date/Time: Tue Mar 14 07:19:38 2006
Module: http_route.c
Line: 2383
Server: sapvm1_DVS_26
Detail: no valid destination server available for '!ALL' rc=13
Any help would be highly appreciated. Thanks!
FrodoHi KS,
Maybe you were right afterall I found a nice How to on the servce.sap.com (https://websmp203.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000073632&_SCENARIO=01100035870000000202) and it seems you do have to add the HTTP server_port parameter in case SSL is being terminated (no re-encryption).
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
icm/server_port_1 = PROT=HTTP, PORT=0, TIMEOUT=15
However, the trick is to set the port to zero (0), that way you can still only access the Web Dispatcher via HTTPS.
All is working now.
Frodo -
SAP Web dispatcher not forwarding incoming HTTP portal sessions.
Hello,
We are using an EP6 Portal from which Abap Web dynpros are launched. The incoming http sessions were accessing our backend ECC6 SAP system through the sap server message . The http sessions were badly dispatched between the two abap servers. We have been advised by SAP to use the sap web dispatcher instead.
The sap web dispatcher has been correctly installed and configured (on the central abap instance ).
I have carefully read the SAP help section concerning the server selection using the sap web dispatcher :
http://help.sap.com/saphelp_nw04s/helpdata/en/5f/7a343cd46acc68e10000000a114084/frameset.htm
All our settings seem to be OK :
The incoming HTTP requests are forwarded to abap servers only.
*In transaction SICF, all the services under the tree
sap/public/icf_info have been assigned to the same logon group .
The capacity of the two servers included in the logon
group " is the same :
server40 LB=12
server60 LB=12
In the Web interface, capacity equal "1" for the two servers.
wdisp/load_balancing_strategy= weighted_round_robin
In the SAP web interface, the prefered server is ALWAYS the same :
Status of Server Group "LOADIS"
Loadbalancing Information
Number of Servers in this group 2
Last used Server
Preferred next Server server40_SPA_10
But it seems that the sap web dispatcher is not used at ALL.
The Load distribution is still based on the SMLG workload as it was the case, before, with the sap message server. The information displayed in the web interface (preferred server) is wrong.
The Preferred next Server is ALWAYS server40_SPA_10 (shown in the web interface), but, in fact, the http sessions are distributed between the two servers server60_SPA_00 and server40_SPA_10 depending on the server quality diplayed in transaction smlg. It was exactly the same behaviour we had before, only with the sap server message .
Any useful help would be highly appreciated.
Best Regards.Hi,
firstly, have you checked note 1094342? What variant do you want to use? Do you terminate a SSL connection on web dispatcher and create a new one between web dispatcher and application server? It looks like the web dispatcher can't verify SSL certificate used by application server. Maybe you've already tried this but you can try to turn off SSL between dispatcher and application server. If this setup works then problem is in SSL connection. You can check what host name is used in SSL certificate and what host name is used by dispatcher. You can use parameter wdisp/ssl_certhost which sets host name which will be used for certificate validation.
Cheers -
Issue in Installing Sap Web Dispatcher
Hi Experts,
We have Installed Sap Web Dispatcher in our landscape for https connection and we have generated the pse certificate .We were stuck in the next step as we have to forward this request to a certification authority such as Verisign or Thawte.
Can you please let us know the process on how we have to forward this request to Certification Authority.
Thanks in Advance..
Regards,
Krishna.MHi,
You are right ... It does NOT matter.
Here is no unicode/non-unicode version available for the webdispatcher.There is only one version available, and this use the non-unicode kernelpackage. You can carry on with the installation without any problem.
Rgds,
Sheikh Saggaf -
Client authentication in PI when SAP Web dispatcher terminates SSL
PI Security Experts,
Here is our design for Third-party Peoplesoft system initiating SOAP Call to PI Web Service created on our PI server.
1) Third-party Peoplesoft Application server initiates a SOAP call.
2) Third-party Network Gateway has a URL server certificate from our gateway and our gateway server has a root certificate from the CA used by third-party gateway. this will be used to establish the SSL tunnel between gateway.
3) SOAP request in our network will be routed through load balancer to SAP web dispatcher.
4) SAP web dispatcher terminates SSL connection
5) We will generate client cert for authentication and pass it onto third-party which they will load onto their PeopleSoft application server. SOAP call initiating from the PeopleSoft server will pass the client cert along with the message (My understanding is that the client cert will not be a part of SOAP message body. Ina other words we are not implementing message-level security. Is that true? How will the client cert be passed? How and where will a client attach the client cert with message?My understanding is that this is a network layer security and client certificate will be authenticated on PI J2ee server at SSL protocol level..Is my understanding correct?)
6) We will also load client certificate generated for client onto J2EE server using Visual Admin and map it to PI user for authentication.
7) SAP web dispatcher terminates SSL and passes the SOAP message to PI (J2EE) along with client cert in a http header variable.
There is some conflicting SAP documents. some say that client cert can't be used for PI authentication if Web Dispatcher terminates SSL connection (http://help.sap.com/saphelp_nw04s/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm). There is some other documents that say that authentication using client cert is possible by having J2EE trusting Web Dispatcher and by passing client cert from Web Dispatcher to J2EE in a httpheader variable (http://help.sap.com/saphelp_erp2005/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm).
Now if client cert authentication is possible even if Web dispatcher terminates SSL, what cert do we need on J2EE, a cert from Web dispatcher or a client cert that's coming in from the client appication (the one that we created and provided to our third-party)?
If we install a cert from web dispatcher on J2EE then do we need a client cert on Web dispatcher instead of on J2EE? If so how and where do we map client cert to PI User?
I will really appreciate any advise on whether we are going down the right path and any pointers to my questions.
Thanks,
SaurabhHi,
May be below links will be helpful
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Step by step guide for SSL security
step by step guide to implement SSL
Please go through below link for referance (above information is from below link)
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Thanks
Swarup -
SAP Web Dispatcher Configuration in a FPN
Hi all,
We are using SAP Web Dispatcher 720 (latest patch 85).
We are having a FPN network. One consumer portal, with more than 5 producer portal (ECC JAVA, BW JAVA..etc) and more than 5 different backends (ECC, BW, SRM..etc)
We are using SSL termination at the web dispatcher.
We have configured all our consumer, producer, backends in our web dispatcher instance, to use the domain name with different ports.
Eg :
https://domainname.com - refers to our consumer portal
https://domainname.com:7110 - refers to our producer portal 1
https://domainname.com:7111 - refers to our producer portal 2
https://domainname.com:6100 - refers to our ABAP backend system 1
https://domainname.com:6111 - refers to our ABAP backend system 2 ..etc..,
by configuring so, we are facing lots of page not found issue intermittenly, as SAPlb cookies are passed incorrectly, since all refers to the same domain name (it ignores the different ports).
Can someone helps us to narrate how to configure web dispatcher which suites our FPN network. We can't go for different URLs for each system, as it requires more than 16 URLs and 16 web dispatcher instances.
Can someone share their experience
Thanks & Regards
SenthilHello Ravi,
Try to include directory 'admin' within directory
'sapwebdisp'.
You can let sapwebdisp create a sapwebdisp.pfl on your
behalf with option '-bootstrap'.
You will see the password for user 'icmadm'.
and this line
"icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin"
Then you use URL
'http://sapwedisphost:<xxxx>/sap/wdisp/admin/default.html'
See this documentation in
'http://help.sap.com/saphelp_nw04/helpdata/en/b4/9aa8862e714e6db8e74e48e5d3283b/frameset.htm'
(specially topic "Monitoring ..."
Kind Regards,
Toni -
SAP Web Dispatcher does not start as windows service
Hi,
I have successfully installed and configured SAP Web Dispatcher. When I start the web dispatcher from command prompt, it works fine. I created a windows service for web dispatcher using the command
ntscmgr install sapwebdisp -b "c:\program files\sap\sapwebdisp\sapwebdisp.exe"
-p "service pf=sapwebdisp.pfl -cleanup -auto_restart"
The command successfully created sapwebdisp service. The service also starts fine, but web dispatcher does not get started.
Any ideas experts?Hi,
Ok. Few suggestions.
1. Can you review the SAP note:
552286 Troubleshooting for the SAP Web Dispatcher
2. When you said: "web dispatcher does not get started ", what error you got ? Can you be more details here ?
3. Please check the trace file dev_webdisp" that generated in the work directory. If the log entries is not abvious, increase the trace level to 2 or 3, and reproduce and re-check the trace file.
4. What is the output of the command "sapwebdisp -v"
5. How about sapwebdisp.pfl ? Are those settings correct ?
Hope this helps.
Regards,
Vincent -
Reverse Proxy - Apache vs SAP Web Dispatcher
Hi,
my config consists in a portal (EP7.0 - DB/CI + AS) and an ECC system (ECC 6.0 - DB/CI + AS).
Web developments are based on Abap Web Dynpro and are also located on ECC.
To ensure load balancing there are 2 web dispatchers : one on EP DB/CI, one on ECC DB/CI.
Those 2 systems are located in intranet. Intranet access are realized via http.
Moreover I need to open this solution to internet. I need a component to filter access in DMZ and ensure reverse proxy + https functions.
Technical target chain links are depicted below.
internet access : browser (https) -
> (https) reverse proxy in DMZ (http) -
> IS (Portal/ECC)
intranet access : browser (http) -
> IS (portal/ECC)
At the moment two application gateway solutions have been identified :
Apache (MOD_PROXY + MOD_HTTPS) - My configuration is based on Linux
SAP Web Dispatcher ("cascading" implementation as described in OSS note 740234)
I'm looking for PROs and CONs of those 2 solutions and I'm also seeking for the impact of ensuring https encryption/decryption at the application gateway level ("a priori" this usage is not transparent in term of server sizing - CPU/memory, do I require to implement an SSL accelerator ?).
Regards.
Frederic.Hi,
PRO Webdispatcher:
- Supports SAP Java + ABAP
- Loadbalancing of SAP applications (stateful)
- Supports load balancing (saplb_* cookie)
- Free of costs
- easy to set up (up & running in 2 minutes)
- Supports HA solutions out-of-the-box (process HA)
- Filter + Rules to modify the requests
CONS Webdispatcher
- not a full reverse proxy
- Limited functionality
- one more server/solution (normaly, a company already does have a reverse proxy solution in place)
- limited user base (only SAP customers)
PRO Apache
- free
- widly in use
- full reverse proxy
- allows more complex filtering / rewriting
- can be used for more web solutions, reuse of existing apache reverse proxy
CONS Apache
- does not support SAP load balancing (connection to the message server port for load distribution)
- can be more complex to set up
- SAP specific technology / problems are more harder to fix (ABAP, Stateful connections, sap_lb*)
Short: both will server well as a reverse proxy.
Rule of thumb: If you go for Apache or Web Dispatcher should mainly depend on you current IT landscape. If you already do have an apache in use, use Apache. You already have the people / knowledge, try to foster it .
If you start from scratch and have SAP Logon Groups or many WebDynpro ABAP applications, go for the Web Dispatcher.
br,
Tobias -
SAP Web dispatcher and WebAS 6.20 ?
Hi all,
I'm trying to configure a standalone SAP Web dispatcher (SWD) to access our WebAS (WAS), but I don't understand how to setup the configurations files.
Currently I can reach the SWD admin via: http://swdhost:81/sap/wdisp/admin/default.html
The WebAS (ABAP) service I want to access is at:
http://washost/ris
The SWD pfl file looks like this:
# Profile generated by sapwebdisp bootstrap
# unique instance number
SAPSYSTEM = 1
# Accesssability of Message Servers
rdisp/mshost = swdhost
ms/http_port = 80
# SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/url_map_location = file://urlprefix.txt
# SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=81
# SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
Urlprefix.txt looks like this:
version 1.0
PREFIX=%2fRIS%2f&CASE=&VHOST=%2a%3a%2a%3b
Now after reading most of the post in the forum and the docs, I still cant understand how I can "say" to SWD to map http://swdhost:81/ris to http://washost/ris .
Thanks in advance for your help.
Best Regards
ErikHi Alexander,
Thanks, the ms/http_port parameter was not set in my WAShost, now the SWD can see the WAS
now if I try to reach :
http://WAShost:81/sap/public/ping , I get a reply from my WAShost.
but I can't reach http://SWDhost:81/ris or http://SWDhost:81/sap/bc/was/sap/zris
http://WAShost/ris is an alias of http://WAShost/sap/bc/was/sap/zris.
Anyway thanks already.
Cheers
Erik -
A question about SAP Web Dispatcher
Following paragraph is copied from TADM10_2 book, Page 39 (Participant Handbok, 2005Q4, 50074912). My question is why there are two same items - ABAP-only scenario? I might be print issue.
The SAP Web Dispatcher can be used for load balancing in the following scenarios:
* Java-only scenario, as described here.
* ABAP-only scenario (see SAP customer training course ADM102, SAP Web AS Administration II)
* ABAP-only scenario (see SAP customer training course ADM102, SAP Web AS Administration II)
Please advise. Thanks so much.
JamesHI,
Yes, I think its a print mistake. It should be ABAP Only and Both ABAP and Java Instance.
Rgds
Radhakrishna D S -
SAP Web Dispatcher in a high availability environment
Hello, guys
We are working in a CRM 7.0 implementation Project. Our system landscape is the following:
- Two hosts (host1 & host2) on MSCS cluster (Windows 2008) with SQL Server and ASCS in high availability. Additional, this MSCS cluster has a instance of SAP Web Dispatcher.
- In these two host weu2019ve installed a CI & DI instance, outside of high availability scope
- Two additional hosts (host3 & host4) with one dialog instance in every host
We have severe problems with communication between SAP Web Dispatcher and ICM components. Our configuration schema is the next:
- ASCS (MSCS_virtual_hostname):
ms/server_port_0 = PROT=HTTP,PORT=8141
SAPLOCALHOSTFULL = <MSCS_virtual_hostname>.<domain>
- IC (host1)
icm/server_port_0 = PROT=HTTP,PORT=8040,TIMEOUT=90,PROCTIMEOUT=600
icm/host_name_full = <host1>.<domain>
- ID1 (host2)
icm/server_port_0 = PROT=HTTP,PORT=8044,TIMEOUT=90,PROCTIMEOUT=600
icm/host_name_full = <host2>.<domain>
- ID3 (host3)
icm/server_port_0 = PROT=HTTP,PORT=8045,TIMEOUT=90,PROCTIMEOUT=600
icm/host_name_full = <host3>.<domain>
- ID4 (host4)
icm/server_port_0 = PROT=HTTP,PORT=8046,TIMEOUT=90,PROCTIMEOUT=600
icm/host_name_full = <host4>.<domain>
- SAP Web Dispatcheer (MSCS_virtual_hostname):
SAPGLOBALHOST = <MSCS_virtual_hostname>
SAPLOCALHOSTFULL = <MSCS_virtual_hostname>.<domain>
SAPLOCALHOST = <MSCS_virtual_hostname>
SAPLOCALHOST = <MSCS_virtual_hostname>
ms/http_port = 8141
icm/server_port_0 = PROT=HTTP, PORT=8042,TIMEOUT=30,PROCTIMEOUT=600
wdisp/add_xforwardedfor_header = TRUE
In SAP Web Dispatcher log weu2019ve found the following error messages:
Fri Jan 28 15:45:22 2011
***LOG Q0I=> NiPConnect2: connect (10061: WSAECONNREFUSED: Connection refused)
*** ERROR => NiPConnect2: SiPeekPendConn failed for hdl 6 / sock 130060
(SI_ECONN_REFUSE/10061; I4; ST; 192.168.6.182:8044)
*** ERROR => Connection request to host: , service: 8044 failed (NIECONN_REFUSED)
SAP Web Dispather is trying to connect to connect with dialog instances through , which itu2019s incorrect (ports 8044, 8045 & 8046 are opened in dialog instances, not in virtual instance). I think it should try with real hostnames (host1, host2, host3 & host4).
¡¡Please, help!! Thanks in advanceHello, Karthi,
Our Web Dispatcher profile looks as following:
Instance specific parameters
Maybe some of these parameters are needless
SAPSYSTEMNAME = <CRM SID>
INSTANCE_NAME = <WD SID>
SAPSYSTEM = <WD System number>
SAPGLOBALHOST = <virtual hostname of WD>
SAPLOCALHOSTFULL = <FQDN of virtual hostname of WD>
SAPLOCALHOST = <virtual hostname of WD>
Directorios
DIR_INSTANCE = R:\usr\sap\wd
DIR_INSTALL = R:\usr\sap\wd
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = R:\usr\sap\wd
DIR_PROFILE = R:\usr\sap\wd
DIR_HOME = R:\usr\sap\wd
DIR_ICMAN_ROOT = $(DIR_INSTANCE)\icmanroot
R:\usr\sap\wd\global\security\data
Accesibilidad al Message Server
rdisp/mshost = <virtual hostname of CRM Message Server>
ms/http_port = <HTTP port of CRM Message Server>
HTTP Settings
Puerto estandar de acceso HTTP
icm/server_port_0 = PROT=HTTP, PORT=8042,TIMEOUT=30,PROCTIMEOUT=600
These parameters defines load balancing weights
#wdisp/server_00 = NAME=<hostname_SID_SYSNR>, LB=4, ACTIVE=0
#wdisp/server_01 = NAME=<hostname_SID_SYSNR>, LB=10, ACTIVE=1
#wdisp/server_02 = NAME=<hostname_SID_SYSNR>, LB=20, ACTIVE=1
#wdisp/server_03 = NAME=<hostname_SID_SYSNR>, LB=20, ACTIVE=1
Puerto de acceso interfaz web de administrador
icm/HTTP/admin_0 = PREFIX=/sap/admin, DOCROOT=$(DIR_ICMAN_ROOT)/admin, AUTHFILE=$(DIR_INSTANCE)\sec\icmauth.txt
Activaciu00F3n de la cachu00E9 de SAP Web Dispatcher
icm/HTTP/server_cache_0/http_cache_control = true
icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=$(DIR_INSTANCE)\cache
Fichero de log de seguridad
icm/security_log = LOGFILE=$(DIR_HOME)\log\security_%y%m%d.log, SWITCHTF=day, MAXSIZEKB=1024, FILEWRAP=off
icm/HTTP/logging_0 = PREFIX=/, LOGFILE=$(DIR_HOME)\log\wd_log_%y%m%d.log, SWITCHTF=day, MAXSIZEKB=1024, FILEWRAP=off
icm/log_level = 1
Dispatcher Configuration
wdisp/add_xforwardedfor_header = FALSE
Parametrizacion de memoria
Datos de sizing de los que se parten #
#users = 1800 usuarios (900 concurrentes)
#req_per_dialog_step = 6 peticiones HTTP por paso
#thinktime_per_diastep_sec = 10 seg. de "thinktime"
#conn_keepalive_sec = 30 seg. mantener conexiu00F3n abierta con ICM
#icm/max_conn = users * req_per_dialog_step * conn_keepalive_sec / thinktime_per_diastep_sec
icm/max_conn = 16200
wdisp/HTTP/max_pooled_con = icm/max_conn
wdisp/HTTP/max_pooled_con = 16200
icm/max_sockets = al menos la suma de icm/max_conn y wdisp/HTTP/max_pooled_con
icm/max_sockets = 32400
mpi/buffer_size = 64K = 64 * 1024 = 65536
mpi/buffer_size = 65536
mpi/total_size_MB = icm/max_conn * mpi/buffer_size (hay que convertir mpi/buffer_size a MB)
mpi/total_size_MB = 1024
icm/req_queue_len = icm/max_conn / 2
icm/req_queue_len = 8100
icm/min_threads = icm/max_conn / ~50
icm/min_threads = 512
icm/max_threads = icm/max_conn / ~20
icm/max_threads = 1024
Parametrizacion de seguridad
Evitar el envu00EDo de mensajes tu00E9cnicos al usuario final
is/HTTP/show_detailed_errors = FALSE
#icm/HTTP/error_templ_path
And ICM parameters are:
- SAPLOCALHOSTFULL= <FQDN of every application server>
- icm/server_port_0 = PROT=HTTP,PORT=8080,TIMEOUT=90,PROCTIMEOUT=600:
- icm/host_name_full = <FQDN of every application server> ## This parameter is ignored if SAPLOCALHOSTFULL is defined
I hope it helps you.
Best regards,
Sergio Su00E1nchez -
SAP WEB Dispatcher for Two systems
Hi experts,
i want to configuration SAP web dispatcher for two hosts
web dispatcher has installed on saprate host( host are accessible via public ally) and other host contains two ABAP system are in same host.
i have configure two HTTP ports in the Web Dispatcher profile
icm/server_port_0 = PROT=HTTP, PORT=8888
icm/server_port_1 = PROT=HTTP, PORT=7777
In addition, you define the system assignments, as follows:
wdisp/system_0 = SID=ERP, MSHOST=ms_erp, MSPORT=8082, SRCSRV=*:8888
wdisp/system_1 = SID=CE1, MSHOST=ms_erp, MSPORT=8127, SRCSRV=*:7777
but i want to know how can do the url mapping i want to open WEBGUI for both ABAP systems.
and how can access?
Please suggest.
Regards,Hi Vivek,
Check the below link, I think it would help you with the configuration.
One Web Dispatcher, Multi Systems with URL Prefixes
And also read the below document for the Mapping of one SAP Webdispatcher to Multiple Systems.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b0/ebfa88e9164d26bdf1d21a7ef6fc25/content.htm
Regards,
Sushil -
Support pakages and patch sap web dispatcher
Hi,
I have install sap web dispatcher on a sap server on abap stack.
I have download support packages for web dispatcher form sap mark.
Anybody know how can I patch web dispatcher with u201Csapwebdisp_86-20003979.saru201D file..
Thanks for any help.Hi my friend
Just unzip the SAR file and replace the old files with the latest, like replacing kernel files.
Note 908097 - SAP Web Dispatcher: Released releases and applying patches
Regards, -
Buenas tardes estimados,
Configure el web dispatcher con solman pero el webdispatcher solo me permite acceder a los servicios del stack de java que corren en el puerto 50000 pero no me deja ver los servicios abap de la SICF que corren en el puerto 8000 alguno tendra una idea de porque ocurre esto? y como puedo solucionarlo?Hola Diego,
Te comento si estan corriendo perfectamente mis servicios de la sicf por el puerto 8000 y los de java por el 50000 mi ms/http_port es el 8101 lo que pasa es que el web dispatcher solo me detecta el stack de java no me detecta el stack de abap por ende puedo acceder a cualquier servicio que corra en el puerto 50000 pero a los que corren en el puerto 8000 que son los de abap no le llego por el webdisp porque el mismo no me esta detectando el stack de abap.
Pude observar que al introducir esta url http://ServidorDeSolman:8101/msgserver/text/logon obtengo este resultado:
version 1.0
J2EE4070400
J2EE ServidorDeSolman 50000 LB=1
J2EES ServidorDeSolman 50001 LB=1
P4 ServidorDeSolman 50004 LB=1
P4S ServidorDeSolman 50006 LB=1
P4HTTP ServidorDeSolman 50005 LB=1
JC_MIASRV00_LCS_00
ServidorDeSolman 50018
Como podemos observar solo arroja info del stack de java y los puertos java pero no arroja la info del stack de ABAP.
Tambien por el webdisp realice esta prueba via linea de comandos en el cmd:
C:\usr\sap\WEB\SYS\profile>sapwebdisp -checkconfig pf=WEB_W02_MIASRV00
Checking SAP Web Dispatcher Configuration
=========================================
maximum number of sockets supported on this host: 8192
Server info will be retrieved from host: ServidorDeSolman:8101 with protocol: http
Checking connection to message server...OK
Retrieving server info from message server...OK
Message Server instance list
------++--
+
instance name
hostname
HTTP port
HTTPS port
------++--
+
J2EE4070400 ServidorDeSolman
50000
50001
------++--
+
Checking ABAP servers with URL "/sap/public/icman/ping":
No server group "!DIAG" defined
Checking J2EE servers with URL "/index.html":
Checking J2EE server http://ServidorDeSolman:50000...OK
Web Dispatcher configuration for J2EE only system: No server group !DIAG defined
On double stack systems, configure Web Dispatcher to access Message Server of SAP Web AS ABAP
Pareciera que debo agregar algun parametro en el webdisp que indique que el sistema es dual stack pero de verdad no tengo idea si sea ese el problema y cual seria el parametro.
Alguna idea de que se puede hacer?
Muchas gracias por la ayuda
Saludos Cordiales -
SAP Web Dispatcher for Portal reverse proxy
Hi Experts,
I am on EP6.0 SP20 and trying to use SAP web dispatcher as reverse proxy.
I followed the below web log to configure the web dispatcher.
[How to...Configure SAP Webdispatcher as a reverse proxy|How to...Configure SAP Webdispatcher as a reverse proxy]
I still have some problems logging into the Portal through the web dispatcher.
Web Dispatcher is in the DMZ not behind the firewall. We opened the port 80 only for Web dispatcher server.
We are getting an error in the browser,
http://<host of portal>.<domain name>:50000/irj/portal can not be recognized.
I have no clue to how to get rid of this error. any help will be greatly appreciated.
Regards,Hi,
I do not know the exact ESS WebDynpro you are using but it may be possible that these WebDynpros use absolute URLs which of course do not point to the hostname and port of the Web Dispatcher.
There are several ways to circumvent this:
Please check http://help.sap.com/saphelp_nw04s/helpdata/en/62/5f374ff72c40478fcba2bb4fa79ddf/frameset.htm and add the parameters wdisp/add_client_protocol_header and (more important for you: wdisp/handle_webdisp_ap_header) to the WebDynpro configuration.
(A nice explenation why we have to use this can be found here: https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bsp/using+proxies&)
another way would be to tell the J2EE engine directly that it is behind a WebDispatcher, by setting the ProxyMappings (http://help.sap.com/saphelp_nw70/helpdata/en/b8/437d46d4451e4c9ab756e272a1581d/frameset.htm)
Regards,
Holger.
Maybe you are looking for
-
<pre><nowiki>AdapterRendererIDs: 0x21a00,0x20400 BuildID: 20110413222027 CrashTime: 1304437078 EMCheckCompatibility: true FramePoisonBase: 00000000f0dea000 FramePoisonSize: 4096 InstallTime: 1304365335 Notes: Renderers: 0x21a00,0x20400 ProductName: F
-
Referencing invoice vs. sales order in credit memo
Can someone please explain to me why one would create a credit memo referencing an invoice as opposed to a sales order? What would the business scenario be for this case? Thanks,
-
I've got about 2500 songs on my iphone, i have recently replaced my computer because the old one crashed, so i lost all the songs in the itunes library. My question is, it seems that now i am unable to drag/drop new downloaded songs without syncing m
-
Help Please.
-
Uttsc to VRDP/MSRDP session freezes on Windows 7
Hi all, We have an educational customer who are using Sun Ray Software 5.1.2 (ie SRWC 2.3.1) on Solaris x86. They are using VirtualBox (we have tried 3.0.x, 3.2.x and 4.0.x all with the same result) running Windows 7 professional. We have tried conne