Simple steps to set up SAP Web Dispatcher and SSL

Hi,
Could someone please provide simple steps explaining how to configure the SWD to communicate using end-2-end SSL with an XI server? The J2EE engine is listening on port 50001 for HTTPS requests. I have verified SSL is fine through direct connectivity.
Also our SWD now works fine with HTTP.
Could someone explain the following:
1. What parameters must I specify in the SWD profile file?
2. Do I have to add any parameters via RZ10 to the instance profile?
3. Do I have to create and activate an HTTPS service via SMICM?
4. Do I have to activate any internet services via SICF?
Thanks

Hi Eddy,
Sorry just got round to checking on this. The documentation you point to here is what we used as the basis for our setup.
We are attempting to use End-2-End SSL and did modify the SWD profile accordingly. It does not work however. If I connect via SSL directly to the J2EE server it works fine. Also connecting via HTTP thru the SWD works as well.
We are unsure as to whether there is something (parameters, service, etc.) that we have to set up via SMICM and/or RZ10 to enable SSL on the ICM? Or even whether that is necessary.
Ideally what I'd like is if someone can explain step-by-step what needs to be set up in the ABAP stack/message server that would be great.
Thanks
Brian

Similar Messages

  • Client authentication in PI when SAP Web dispatcher terminates SSL

    PI Security Experts,
    Here is our design for Third-party Peoplesoft system initiating SOAP Call to PI Web Service created on our PI server.
    1) Third-party Peoplesoft Application server initiates a SOAP call.
    2) Third-party Network Gateway has a URL server certificate from our gateway and our gateway server has a root certificate from the CA used by third-party gateway. this will be used to establish the SSL tunnel between gateway.
    3) SOAP request in our network will be routed through load balancer to SAP web dispatcher.
    4) SAP web dispatcher terminates SSL connection
    5) We will generate client cert for authentication and pass it onto third-party which they will load onto their PeopleSoft application server. SOAP call initiating from the PeopleSoft server will pass the client cert along with the message (My understanding is that the client cert will not be a part of SOAP message body. Ina other words we are not implementing message-level security. Is that true? How will the client cert be passed? How and where will a client attach the client cert with message?My understanding is that this is a network layer security and client certificate will be authenticated on PI J2ee server at SSL protocol level..Is my understanding correct?)
    6) We will also load client certificate generated for client onto J2EE server using Visual Admin and map it to PI user for authentication.
    7) SAP web dispatcher terminates SSL and passes the SOAP message to PI (J2EE) along with client cert in a http header variable.
    There is some conflicting SAP documents. some say that client cert can't be used for PI authentication if Web Dispatcher terminates SSL connection (http://help.sap.com/saphelp_nw04s/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm). There is some other documents that say that authentication using client cert is possible by having J2EE trusting Web Dispatcher and by passing client cert from Web Dispatcher to J2EE in a httpheader variable (http://help.sap.com/saphelp_erp2005/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm).
    Now if client cert authentication is possible even if Web dispatcher terminates SSL, what cert do we need on J2EE, a cert from Web dispatcher or a client cert that's coming in from the client appication (the one that we created and provided to our third-party)?
    If we install a cert from web dispatcher on J2EE then do we need a client cert on Web dispatcher instead of on J2EE? If so how and where do we map client cert to PI User?
    I will really appreciate any advise on whether we are going down the right path and any pointers to my questions.
    Thanks,
    Saurabh

    Hi,
    May be below links will be helpful
    Check the following links.. you will get the information all about the securities...
    http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
    Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
    Also find soeminformation in these links
    http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
    /people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
    Step by step guide for SSL security
    step by step guide to implement SSL
    Please go through below link for referance (above information is from below link)
    http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
    General guide
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
    Message level security
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
    Regarding message level you can encrypt the message using certificates.
    For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
    Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
    Thanks
    Swarup

  • SAP Web dispatcher and WebAS 6.20 ?

    Hi all,
    I'm trying to configure a standalone SAP Web dispatcher (SWD) to access our WebAS (WAS), but I don't understand how to setup the configurations files.
    Currently I can reach the SWD admin via: http://swdhost:81/sap/wdisp/admin/default.html
    The WebAS (ABAP) service I want to access is at:
    http://washost/ris
    The SWD pfl file looks like this:
    # Profile generated by sapwebdisp bootstrap
    # unique instance number
    SAPSYSTEM = 1
    # Accesssability of Message Servers
    rdisp/mshost = swdhost
    ms/http_port = 80
    # SAP Web Dispatcher Parameter
    wdisp/auto_refresh = 120
    wdisp/max_servers = 100
    wdisp/url_map_location = file://urlprefix.txt
    # SAP Web Dispatcher Ports
    icm/server_port_0 = PROT=HTTP,PORT=81
    # SAP Web Dispatcher Web Administration
    icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
    Urlprefix.txt looks like this:
    version 1.0
    PREFIX=%2fRIS%2f&CASE=&VHOST=%2a%3a%2a%3b
    Now after reading most of the post in the forum and the docs, I still cant understand how I can "say" to SWD to map http://swdhost:81/ris to http://washost/ris .
    Thanks in advance for your help.
    Best Regards
    Erik

    Hi Alexander,
    Thanks, the ms/http_port parameter was not set in my WAShost, now the SWD can see the WAS
    now if I try to reach :
    http://WAShost:81/sap/public/ping , I get a reply from my WAShost.
    but I can't reach http://SWDhost:81/ris or http://SWDhost:81/sap/bc/was/sap/zris
    http://WAShost/ris is an alias of http://WAShost/sap/bc/was/sap/zris.
    Anyway thanks already.
    Cheers
    Erik

  • SAP Web Dispatcher Configuration (SSL, certificates)

    Hi all,
    We're trying to configure the SAP Web Dispatcher for the use of SSL (terminated) and client authentication using x.509 certificates. All works (almost)fine. However, there's some strange behavior that I can not explain.
    The following access point have been specified in the profile:
    Description of the Access Points
    icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
    icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
    icm/HTTPS/verify_client = 2
    Basicly we only need users to access the web dispatcher using SSL. However, when I remove the line: icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
    The Web Dispatcher returns an error upon accessing it using HTTPS:
    Dispatching Error
    Error: -26
    Version: 6040
    Component: HTTP_ROUTE
    Date/Time: Tue Mar 14 07:19:38 2006 
    Module: http_route.c
    Line: 2383
    Server: sapvm1_DVS_26
    Detail: no valid destination server available for '!ALL' rc=13
    Any help would be highly appreciated. Thanks!
    Frodo

    Hi KS,
    Maybe you were right afterall I found a nice How to on the servce.sap.com (https://websmp203.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000073632&_SCENARIO=01100035870000000202) and it seems you do have to add the HTTP server_port parameter in case SSL is being terminated (no re-encryption).
    icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
    icm/server_port_1 = PROT=HTTP, PORT=0, TIMEOUT=15
    However, the trick is to set the port to zero (0), that way you can still only access the Web Dispatcher via HTTPS.
    All is working now.
    Frodo

  • Web Dispatcher and SSL on ABAP+Java

    Hello,
    Have installed SAP web dispatcher on WAS 6.40 ABAP+Java system. Communicating with Portal SP16 system.
    The HTTP works fine. Have not been able to get SSL working with web dispatcher.
    For troubleshooting activated ITS on this system and HTTPS works fine with ITS webgui.
    Have followed the "how to" SSL for web dispatcher guide.
    Also should mention that we have generated certificate requests and PSE's but our organization has not yet chosen a certificate authority to sign the cerficates. For other scenarios (log onto Portal, XI, etc) the only difference is the certifcate warning dialog, otherwise works fine.  Would this cause a problem for Web Dispatcher?
    Trying the SSL end to end scenario receive
    WARNING: Could not start service 0 for protocol HTTPS on host "max-sap" on all adapters
    Is there anything
    unique for the ABAP+Java configuration?
    Thanks,
    Alan

    I solved this problem by setting the following profile parameter on my webdispatcher profile.
    wdisp/ssl_ignore_host_mismatch = true
    Doesn't fix the underlying problem but got me going until I can figure it out.

  • Web Dispatcher and SSL

    Dear All,
    I've configured Web Dispatcher with SSL. When I run command "sapwebdisp pf=sapwebdisp.pfl", my HTTPS service could not be started. It gives me error "WARNING: Could not start service 60000 for protocol HTTPS on host "myserver" (on all adapters)".
    Any idea?
    BTW, my SAP Web Dispatcher is up and running.
    Rgds,
    Hapizorr

    HI Koti Reddy,
    Below is the log from dev_webdisp. Any iddea?
    trc file: "dev_webdisp", trc level: 1, release: "700"
    sysno      00
    sid       
    systemid   562 (PC with Windows NT)
    relno      7000
    patchlevel 0
    patchno    110
    intno      20050900
    make:      multithreaded, ASCII, 64 bit, optimized
    pid        2892
    [Thr 2800] started security log to file dev_icm_sec
    [Thr 2800] SAP Web Dispatcher running on: psahrmswd
    [Thr 2800] MtxInit: 30001 0 2
    [Thr 2800] IcmInit: listening to admin port: 65000
    [Thr 2188] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary
    X.509 cert data will be removed from header [http_plgrt.c 670]
    [Thr 2188] *** WARNING => HttpAdmHandlerInit: archive ./wdispadmin.SAR does not exist [http_adm.cpp 286]
    [Thr 2188] *** WARNING => HttpAdmHandlerInit: archive ./wdispadmin.SAR does not exist - nothing extracted [http_adm.cpp 301]
    [Thr 2188] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=0, flags=4101) for /sap/wdisp/admin:0
    [Thr 2188] CsiInit(): Initializing the Content Scan Interface
    [Thr 2188]            PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)
    [Thr 2188] CsiInit(): CSA_LIB = ".\sapcsa.dll"
    [Thr 2188] *** ERROR => DlLoadLib: LoadLibrary(.\sapcsa.dll) Error 126 [dlnt.c       237]
    [Thr 2188]         Error 126 = "The specified module could not be found."
    [Thr 2188] *** ERROR => HttpAuthHandlerInit: url: / -> failed -> content filter deactivated [http_auth.c  300]
    [Thr 2188] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=1, flags=12293) for /:0
    [Thr 2188] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=2, flags=28677) for /:0
    [Thr 2188] =================================================
    [Thr 2188] = SSL Initialization  on  PC with Windows NT
    [Thr 2188] =   (700_REL,May 21 2007,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
    [Thr 2188]   SapISSLComposeFilename(): profile param "ssl/ssl_lib" = "U:\secudir\sec\sapcrypto.dll"
               resulting Filename = "U:\secudir\sec\sapcrypto.dll"
    [Thr 2188]   SapISSLComposeFilename(): profile param "ssl/server_pse" = "U:\secudir\sec\SAPSSL.pse"
               resulting Filename = "U:\secudir\sec\SAPSSL.pse"
    [Thr 2188] =   found SAPCRYPTOLIB  5.5.5C pl24  (Jun 11 2008) MT-safe
    [Thr 2188] =   current UserID: PSAHRMSWD\Administrator
    [Thr 2188] =   found SECUDIR environment variable
    [Thr 2188] =   using SECUDIR=U:\secudir\sec
    [Thr 2188] *** ERROR =>   secudessl_Create_SSL_CTX():  PSE "U:\secudir\sec\SAPSSL.pse" not found! [ssslsecu.c   1296]
    [Thr 2188] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
      secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
    [Thr 2188] >> -
    Begin of Secude-SSL Errorstack -
    >>
    [Thr 2188] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
    ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
    ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
    ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
    ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "U:\secudir\sec\SAPSSL.pse"
    [Thr 2188] << -
    End of Secude-SSL Errorstack -
    [Thr 2188] *** ERROR => Initialization of SSL library failed -- NO SSL available!
    [Thr 2188] =================================================
    [Thr 2188] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
    [Thr 2188] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c   319]
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 0
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 1
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 2
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 3
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 4
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 5
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 6
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 7
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 8
    [Thr 2800] IcmCreateWorkerThreads: created worker thread 9
    [Thr 2832] IcmWatchDogThread: watchdog started

  • SAP Web Dispatcher in a high availability environment

    Hello, guys
    We are working in a CRM 7.0 implementation Project. Our system landscape is the following:
       - Two hosts (host1 & host2) on MSCS cluster (Windows 2008) with SQL Server and ASCS in high availability. Additional, this MSCS cluster has a instance of SAP Web Dispatcher.
       - In these two host weu2019ve installed a CI & DI instance, outside of high availability scope
       - Two additional hosts (host3 & host4) with one dialog instance in every host
    We have severe problems with communication between SAP Web Dispatcher and ICM components. Our configuration schema is the next:
       - ASCS (MSCS_virtual_hostname):
    ms/server_port_0 = PROT=HTTP,PORT=8141
    SAPLOCALHOSTFULL = <MSCS_virtual_hostname>.<domain>
       - IC (host1)
    icm/server_port_0 = PROT=HTTP,PORT=8040,TIMEOUT=90,PROCTIMEOUT=600
    icm/host_name_full = <host1>.<domain>
       - ID1 (host2)
    icm/server_port_0 = PROT=HTTP,PORT=8044,TIMEOUT=90,PROCTIMEOUT=600
    icm/host_name_full = <host2>.<domain>
       - ID3 (host3)
    icm/server_port_0 = PROT=HTTP,PORT=8045,TIMEOUT=90,PROCTIMEOUT=600
    icm/host_name_full = <host3>.<domain>
       - ID4 (host4)
    icm/server_port_0 = PROT=HTTP,PORT=8046,TIMEOUT=90,PROCTIMEOUT=600
    icm/host_name_full = <host4>.<domain>
       - SAP Web Dispatcheer (MSCS_virtual_hostname):
    SAPGLOBALHOST = <MSCS_virtual_hostname>
    SAPLOCALHOSTFULL = <MSCS_virtual_hostname>.<domain>
    SAPLOCALHOST = <MSCS_virtual_hostname>
    SAPLOCALHOST = <MSCS_virtual_hostname>
    ms/http_port = 8141
    icm/server_port_0 = PROT=HTTP, PORT=8042,TIMEOUT=30,PROCTIMEOUT=600
    wdisp/add_xforwardedfor_header = TRUE
    In SAP Web Dispatcher log weu2019ve found the following error messages:
    Fri Jan 28 15:45:22 2011
    ***LOG Q0I=> NiPConnect2: connect (10061: WSAECONNREFUSED: Connection refused)
    *** ERROR => NiPConnect2: SiPeekPendConn failed for hdl 6 / sock 130060
        (SI_ECONN_REFUSE/10061; I4; ST; 192.168.6.182:8044)
    *** ERROR => Connection request to host: , service: 8044 failed (NIECONN_REFUSED)
    SAP Web Dispather is trying to connect to connect with dialog instances through , which itu2019s incorrect (ports 8044, 8045 & 8046 are opened in dialog instances, not in virtual instance). I think it should try with real hostnames (host1, host2, host3 & host4).
    ¡¡Please, help!! Thanks in advance

    Hello, Karthi,
    Our Web Dispatcher profile looks as following:
    Instance specific parameters
    Maybe some of these parameters are needless
    SAPSYSTEMNAME = <CRM SID>
    INSTANCE_NAME = <WD SID>
    SAPSYSTEM = <WD System number>
    SAPGLOBALHOST = <virtual hostname of WD>
    SAPLOCALHOSTFULL = <FQDN of virtual hostname of WD>
    SAPLOCALHOST = <virtual hostname of WD>
    Directorios
    DIR_INSTANCE = R:\usr\sap\wd
    DIR_INSTALL = R:\usr\sap\wd
    DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
    DIR_EXECUTABLE = R:\usr\sap\wd
    DIR_PROFILE = R:\usr\sap\wd
    DIR_HOME = R:\usr\sap\wd
    DIR_ICMAN_ROOT = $(DIR_INSTANCE)\icmanroot
    R:\usr\sap\wd\global\security\data
    Accesibilidad al Message Server
    rdisp/mshost = <virtual hostname of CRM Message Server>
    ms/http_port = <HTTP port of CRM Message Server>
    HTTP Settings
    Puerto estandar de acceso HTTP
    icm/server_port_0 = PROT=HTTP, PORT=8042,TIMEOUT=30,PROCTIMEOUT=600
    These parameters defines load balancing weights
    #wdisp/server_00 = NAME=<hostname_SID_SYSNR>, LB=4, ACTIVE=0
    #wdisp/server_01 = NAME=<hostname_SID_SYSNR>, LB=10, ACTIVE=1
    #wdisp/server_02 = NAME=<hostname_SID_SYSNR>, LB=20, ACTIVE=1
    #wdisp/server_03 = NAME=<hostname_SID_SYSNR>, LB=20, ACTIVE=1
    Puerto de acceso interfaz web de administrador
    icm/HTTP/admin_0 = PREFIX=/sap/admin, DOCROOT=$(DIR_ICMAN_ROOT)/admin, AUTHFILE=$(DIR_INSTANCE)\sec\icmauth.txt
    Activaciu00F3n de la cachu00E9 de SAP Web Dispatcher
    icm/HTTP/server_cache_0/http_cache_control = true
    icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=$(DIR_INSTANCE)\cache
    Fichero de log de seguridad
    icm/security_log = LOGFILE=$(DIR_HOME)\log\security_%y%m%d.log, SWITCHTF=day, MAXSIZEKB=1024, FILEWRAP=off
    icm/HTTP/logging_0 = PREFIX=/, LOGFILE=$(DIR_HOME)\log\wd_log_%y%m%d.log, SWITCHTF=day, MAXSIZEKB=1024, FILEWRAP=off
    icm/log_level = 1
    Dispatcher Configuration
    wdisp/add_xforwardedfor_header = FALSE
    Parametrizacion de memoria
    Datos de sizing de los que se parten                                #
    #users = 1800 usuarios (900 concurrentes)
    #req_per_dialog_step = 6 peticiones HTTP por paso
    #thinktime_per_diastep_sec = 10 seg. de "thinktime"
    #conn_keepalive_sec = 30 seg. mantener conexiu00F3n abierta con ICM
    #icm/max_conn = users * req_per_dialog_step * conn_keepalive_sec / thinktime_per_diastep_sec
    icm/max_conn = 16200
    wdisp/HTTP/max_pooled_con = icm/max_conn
    wdisp/HTTP/max_pooled_con = 16200
    icm/max_sockets = al menos la suma de icm/max_conn y wdisp/HTTP/max_pooled_con
    icm/max_sockets = 32400
    mpi/buffer_size = 64K = 64 * 1024 = 65536
    mpi/buffer_size = 65536
    mpi/total_size_MB = icm/max_conn * mpi/buffer_size (hay que convertir mpi/buffer_size a MB)
    mpi/total_size_MB = 1024
    icm/req_queue_len = icm/max_conn / 2
    icm/req_queue_len = 8100
    icm/min_threads = icm/max_conn / ~50
    icm/min_threads = 512
    icm/max_threads = icm/max_conn / ~20
    icm/max_threads = 1024
    Parametrizacion de seguridad
    Evitar el envu00EDo de mensajes tu00E9cnicos al usuario final
    is/HTTP/show_detailed_errors = FALSE
    #icm/HTTP/error_templ_path
    And ICM parameters are:
    - SAPLOCALHOSTFULL= <FQDN of every application server>
    - icm/server_port_0 = PROT=HTTP,PORT=8080,TIMEOUT=90,PROCTIMEOUT=600:
    - icm/host_name_full = <FQDN of every application server>  ## This parameter is ignored if SAPLOCALHOSTFULL is defined
    I hope it helps you.
    Best regards,
    Sergio Su00E1nchez

  • Reverse Proxy - Apache vs SAP Web Dispatcher

    Hi,
    my config consists in a portal (EP7.0 - DB/CI + AS) and an ECC system (ECC 6.0 - DB/CI + AS).
    Web developments are based on Abap Web Dynpro and are also located on ECC.
    To ensure load balancing there are 2 web dispatchers : one on EP DB/CI, one on ECC DB/CI.
    Those 2 systems are located in intranet. Intranet access are realized via http.
    Moreover I need to open this solution to internet. I need a component to filter access in DMZ and ensure reverse proxy + https functions.
    Technical target chain links are depicted below.
    internet access : browser (https) -
    >  (https) reverse proxy in DMZ (http) -
    > IS (Portal/ECC)
    intranet access : browser (http) -
    > IS (portal/ECC)
    At the moment two application gateway solutions have been identified :
    Apache (MOD_PROXY + MOD_HTTPS) - My configuration is based on Linux
    SAP Web Dispatcher ("cascading" implementation as described in OSS note 740234)
    I'm looking for PROs and CONs of those 2 solutions and I'm also seeking for the impact of ensuring https encryption/decryption at the application gateway level ("a priori" this usage is not transparent in term of server sizing - CPU/memory, do I require to implement an SSL accelerator ?).
    Regards.
    Frederic.

    Hi,
    PRO Webdispatcher:
    - Supports SAP Java + ABAP
    - Loadbalancing of SAP applications (stateful)
    - Supports load balancing (saplb_* cookie)
    - Free of costs
    - easy to set up (up & running in 2 minutes)
    - Supports HA solutions out-of-the-box (process HA)
    - Filter + Rules to modify the requests
    CONS Webdispatcher
    - not a full reverse proxy
    - Limited functionality
    - one more server/solution (normaly, a company already does have a reverse proxy solution in place)
    - limited user base (only SAP customers)
    PRO Apache
    - free
    - widly in use
    - full reverse proxy
    - allows more complex filtering / rewriting
    - can be used for more web solutions, reuse of existing apache reverse proxy
    CONS Apache
    - does not support SAP load balancing (connection to the message server port for load distribution)
    - can be more complex to set up
    - SAP specific technology / problems are more harder to fix (ABAP, Stateful connections, sap_lb*)
    Short: both will server well as a reverse proxy.
    Rule of thumb: If you go for Apache or Web Dispatcher should mainly depend on you current IT landscape. If you already do have an apache in use, use Apache. You already have the people / knowledge, try to foster it .
    If you start from scratch and have SAP Logon Groups or many WebDynpro ABAP applications, go for the Web Dispatcher.
    br,
    Tobias

  • SAP Web dispatcher not forwarding incoming HTTP portal sessions.

    Hello,
    We are using an EP6 Portal from which Abap Web dynpros are launched. The incoming http sessions were accessing our backend ECC6 SAP system through the sap server message . The http sessions were badly dispatched between the two abap servers. We have been advised by SAP to use the sap web dispatcher instead.
    The sap web dispatcher has been correctly installed and configured (on the central abap instance ).
    I have carefully read the SAP help section concerning the server selection using the sap web dispatcher :
    http://help.sap.com/saphelp_nw04s/helpdata/en/5f/7a343cd46acc68e10000000a114084/frameset.htm
    All our settings seem to be OK :
    The incoming HTTP requests are forwarded to abap servers only.
    *In transaction SICF, all the services under the tree
    sap/public/icf_info have been assigned to the same logon group .
    The capacity of the two servers included in the logon
    group " is the same :
    server40 LB=12
    server60 LB=12
    In the Web interface, capacity equal "1" for the two servers.
    wdisp/load_balancing_strategy=  weighted_round_robin
    In the SAP web interface, the prefered server is ALWAYS the same :
    Status of Server Group "LOADIS"
    Loadbalancing Information
    Number of Servers in this group 2
    Last used Server
    Preferred next Server server40_SPA_10
    But it seems that the sap web dispatcher is not used at ALL.
    The Load distribution is still based on the SMLG workload as it was the case, before, with the sap message server. The information displayed in the web interface (preferred server) is wrong.
    The Preferred next Server is ALWAYS server40_SPA_10 (shown in the web interface), but, in fact, the http sessions are distributed between the two servers server60_SPA_00 and server40_SPA_10 depending on the server quality diplayed in transaction smlg. It was exactly the same behaviour we had before, only with the sap server message .
    Any useful help would be highly appreciated.
    Best Regards.

    Hi,
    firstly, have you checked note 1094342? What variant do you want to use? Do you terminate a SSL connection on web dispatcher and create a new one between web dispatcher and application server? It looks like the web dispatcher can't verify SSL certificate used by application server. Maybe you've already tried this but you can try to turn off SSL between dispatcher and application server. If this setup works then problem is in SSL connection. You can check what host name is used in SSL certificate and what host name is used by dispatcher. You can use parameter wdisp/ssl_certhost which sets host name which will be used for certificate validation.
    Cheers

  • Issue in Installing Sap Web Dispatcher

    Hi Experts,
    We have Installed Sap Web Dispatcher in our landscape for https connection and we have generated the pse certificate .We were stuck in the next step as we have to forward this request to a certification authority such as Verisign or Thawte. 
    Can you please let us know the process on how we have to forward this request to Certification Authority.
    Thanks in Advance..
    Regards,
    Krishna.M

    Hi,
    You are right ... It does NOT matter.
    Here is no unicode/non-unicode version available for the webdispatcher.There is only one version available, and this use the non-unicode kernelpackage. You can carry on with the installation without any problem.
    Rgds,
    Sheikh Saggaf

  • SAP Web Dispatcher for Portal reverse proxy

    Hi Experts,
    I am on EP6.0 SP20 and trying to use SAP web dispatcher as reverse proxy.
    I followed the below web log to configure the web dispatcher.
    [How to...Configure SAP Webdispatcher as a reverse proxy|How to...Configure SAP Webdispatcher as a reverse proxy]
    I still have some problems logging into the Portal through the web dispatcher.
    Web Dispatcher is in the DMZ not behind the firewall. We opened the port 80 only for Web dispatcher server.
    We are getting an error in the browser,
    http://<host of portal>.<domain name>:50000/irj/portal can not be recognized.
    I have no clue to how to get rid of this error. any help will be greatly appreciated.
    Regards,

    Hi,
    I do not know the exact ESS WebDynpro you are using but it may be possible that these WebDynpros use absolute URLs which of course do not point to the hostname and port of the Web Dispatcher.
    There are several ways to circumvent this:
    Please check http://help.sap.com/saphelp_nw04s/helpdata/en/62/5f374ff72c40478fcba2bb4fa79ddf/frameset.htm and add the parameters wdisp/add_client_protocol_header and (more important for you: wdisp/handle_webdisp_ap_header) to the WebDynpro configuration.
    (A nice explenation why we have to use this can be found here: https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bsp/using+proxies&)
    another way would be to tell the J2EE engine directly that it is behind a WebDispatcher, by setting the ProxyMappings (http://help.sap.com/saphelp_nw70/helpdata/en/b8/437d46d4451e4c9ab756e272a1581d/frameset.htm)
    Regards,
    Holger.

  • Kernel NW740 for SAP Web Dispatcher

    Hello,
    where and how can I find the correct kernel "NW740" for my SAP Web Dispatcher installation?
    I proceeded like this:
    Software Provisioning Manager -> SAPinst -> SAP Netweaver 7.4 -> MS SQL Server -> SAP Systems -> Standalone Engines -> Web Dispatcher.
    Now during step 2 "defining parameters" I need to provide a software package calles "Kernel NW740". My server is a MS server 2008 x64.

    Is it this one:
    SAPEXE_60-10011888.SAR
    Kernel Part I
    Found here: My Company's Application Components" Complimentary Software" SAP KERNEL 64-BIT" SAP KERNEL 7.40 64-BIT -> windows x64 -> db independent

  • SAP Web Dispatcher Configuration in a FPN

    Hi all,
    We are using SAP Web Dispatcher 720 (latest patch 85).
    We are having a FPN network. One consumer portal, with  more than 5 producer portal (ECC JAVA, BW JAVA..etc) and more than 5 different backends (ECC, BW, SRM..etc)
    We are using SSL termination at the web dispatcher.
    We have configured all our consumer, producer, backends in  our web dispatcher instance,  to use the domain name with different ports.
    Eg :
    https://domainname.com - refers to our consumer portal
    https://domainname.com:7110 - refers to our producer portal 1
    https://domainname.com:7111 - refers to our producer portal 2
    https://domainname.com:6100 - refers to our ABAP backend system 1
    https://domainname.com:6111 - refers to our ABAP backend system 2 ..etc..,
    by configuring so, we are facing lots of page not found issue intermittenly, as SAPlb cookies are passed incorrectly, since all refers to the same domain name (it ignores the different ports).
    Can someone helps us to narrate how to configure web dispatcher which suites our  FPN network. We can't go for different URLs for each system, as it requires more than 16 URLs and 16 web dispatcher instances.
    Can someone share their experience
    Thanks & Regards
    Senthil

    Hello Ravi,
    Try to include directory 'admin' within directory
    'sapwebdisp'.
    You can let sapwebdisp create a sapwebdisp.pfl on your
    behalf with option '-bootstrap'.
    You will see the password for user 'icmadm'.
    and this line
    "icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin"
    Then you use URL
    'http://sapwedisphost:<xxxx>/sap/wdisp/admin/default.html'
    See this documentation in
    'http://help.sap.com/saphelp_nw04/helpdata/en/b4/9aa8862e714e6db8e74e48e5d3283b/frameset.htm'
    (specially topic "Monitoring ..."
    Kind Regards,
    Toni

  • SAP Web Dispatcher does not start as windows service

    Hi,
    I have successfully installed and configured SAP Web Dispatcher. When I start the web dispatcher from command prompt, it works fine. I created a windows service for web dispatcher using the command
    ntscmgr install sapwebdisp -b "c:\program files\sap\sapwebdisp\sapwebdisp.exe"
    -p "service pf=sapwebdisp.pfl -cleanup -auto_restart"
    The command successfully created sapwebdisp service. The service also starts fine, but web dispatcher does not get started.
    Any ideas experts?

    Hi,
    Ok. Few suggestions.
    1. Can you review the SAP note:
    552286  Troubleshooting for the SAP Web Dispatcher
    2. When you said: "web dispatcher does not get started ", what error you got ? Can you be more details here ?
    3. Please check the trace file dev_webdisp" that generated in the work directory. If the log entries is not abvious, increase the trace level to 2 or 3, and reproduce and re-check the trace file.
    4. What is the output of the command "sapwebdisp -v"
    5. How about sapwebdisp.pfl ? Are those settings correct ?
    Hope this helps.
    Regards,
    Vincent

  • A question about SAP Web Dispatcher

    Following paragraph is copied from TADM10_2 book, Page 39 (Participant Handbok, 2005Q4, 50074912). My question is why there are two same  items - ABAP-only scenario? I might be print issue.
    The SAP Web Dispatcher can be used for load balancing in the following scenarios:
    •* Java-only scenario, as described here.
    •* ABAP-only scenario (see SAP customer training course ADM102, “SAP Web AS Administration II”)
    *• ABAP-only scenario (see SAP customer training course ADM102, “SAP Web AS Administration II”)
    Please advise. Thanks so much.
    James

    HI,
    Yes, I think its a  print mistake. It should be ABAP Only and Both ABAP and Java Instance.
    Rgds
    Radhakrishna D S

Maybe you are looking for

  • ITunes 9.0.1 doesn't recognize my iPhone.

    I loaded iTunes 9.0.1 on a Clone while my iPhone was connected to Clone . . . usually, I sync my iPhone to my MacBookPro. Now, my iPhone displays a picture of the connection cable, an arrow pointing to the CD disk labeled iTunes. When I connect the i

  • Simple way to connect Oracle 11g XE with MS SQL Server 2000

    Is there a simple way to access SQL server database/ Tables within from Oracle 11g XE (Windows-32bit) on same machine. I am a novice so kindly keep it simple. Thanks

  • Playback speed is 'fast'?

    When playing a PAL captured sequence, it is playing at what appears to be 'fast forward' speed in the Viewer. I can't get it to play at normal speed! Any ideas?

  • Key Lock

    Hello! Since I upgraded my 9700, I have a problem with the key lock. I've already read, that a lot others have issues with it as well, but my problem is not, that I don't find the icon anymore. I use Blackberries because of the security options and n

  • I am not seeing the Extensions panel in Firefox 10.0.2 ?

    After reinstall firefox 10.0.2, when opening the Add-ons Manager, I can not see the components in the Extension Panel. My Java (TM) Platform is SE 6U31 (latest). I also open Troubleshooting Information tab but there is no information under Extensions