Web Dispatcher SWD IP Filtering

Is there a way to filter inbound SAP Web Dispatcher (SWD) connections by IP Address. I know the SWD has URL filtering for where a message is routed but I want to filter source information.
Thank You,
Joe

I'd do it at the external router (assuming the SWD is deployed in your DMZ between an external and internal router).
Rich

Similar Messages

SAP Web dispatcher and WebAS 6.20 ?

Hi all,
I'm trying to configure a standalone SAP Web dispatcher (SWD) to access our WebAS (WAS), but I don't understand how to setup the configurations files.
Currently I can reach the SWD admin via: http://swdhost:81/sap/wdisp/admin/default.html
The WebAS (ABAP) service I want to access is at:
http://washost/ris
The SWD pfl file looks like this:
# Profile generated by sapwebdisp bootstrap
# unique instance number
SAPSYSTEM = 1
# Accesssability of Message Servers
rdisp/mshost = swdhost
ms/http_port = 80
# SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/url_map_location = file://urlprefix.txt
# SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=81
# SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
Urlprefix.txt looks like this:
version 1.0
PREFIX=%2fRIS%2f&CASE=&VHOST=%2a%3a%2a%3b
Now after reading most of the post in the forum and the docs, I still cant understand how I can "say" to SWD to map http://swdhost:81/ris to http://washost/ris .
Thanks in advance for your help.
Best Regards
Erik

Hi Alexander,
Thanks, the ms/http_port parameter was not set in my WAShost, now the SWD can see the WAS
now if I try to reach :
http://WAShost:81/sap/public/ping , I get a reply from my WAShost.
but I can't reach http://SWDhost:81/ris or http://SWDhost:81/sap/bc/was/sap/zris
http://WAShost/ris is an alias of http://WAShost/sap/bc/was/sap/zris.
Anyway thanks already.
Cheers
Erik

Apache Server Sizing and Web Dispatcher filtering

Hi,
We are planning to expose our intranet portal for internet user. An internet user would access it via browser (https) -> Apache - reverse proxy (outer DMZ) -> Web Dispatcher - Load Balancing (Inner DMZ) -> Portal.
We are looking for end-to-end SSL implementation.
My questions:
1] Do we need to have load balancing at apache server for performing reverse proxy? If yes, how it would be achieved?
2] What is the hardware sizing required for Apache server on Linux box?
3] Does the portal performance is affected by end-to-end SSL implementation?
4] In load balancing using Web Dispatcher, can we forward particular request to a specific application server? Like, filter out the internet requests or forward BI related requests to a specific application server node.
Regards,
Sham

Hi,
1) Depends on your requirement. When you have 1 Apache RP and 1 SAP Web Dispatcher, you won't need load balancing of at the Apache.
2) Depends on the number of concurrent requests you are expecting. More information on that can be found at apache.org
3) Portal performance gets affected when using SSL and the portal is responsible for the SSL (there are product out there that do the SSL handling). How much the SSL will affect your portal depends on the number of users. But generally the impact of SSL isn't really high with recent hardware, the portal will be more occupied with the number of users, navigation, etc than with SSL
4) You can use logon groups to assign a specific user (group) to a dedicated server
br,
Tobias

Web Dispatcher Not forwading XML document to SAP XI

Hi Everyone,
We have a web dispatcher that is accepting an HTTP Post over SSL and forwarding this connection to our SAP XI system. Our client post to the box and we see the ssl information in the log and then a string of information about connecting to our J2EE Engine where XI resides.
Here is a snippet from the SWD log:
[Thr 6768] IcmPlCheckRetVal: Next status: WAIT_FOR_DATA(5)
[Thr 6768] IcmHandleNetWrite(id=0/6): HandleServData returned: 5
[Thr 6768] Address    Offset IcmWriteToConn:
[Thr 6768] -
[Thr 6768] 030718FC 000000 c1003297 8535ef16 f9aae7c8 34f128ef |..2..5......4.(.|
[Thr 6768] 0307190C 000016 778dba96 22a728b5 96357d83 75e173a8 |w...".(..5}.u.s.|
[Thr 6768] 0307191C 000032 668a1525 5d1fa229 42312e5a e837a4c3 |f..%]..)B1.Z.7..|
[Thr 6768] 0307192C 000048 25cd16a2 7bee0812 965c59d9 c3af4d79 |%...{....\Y...My|
[Thr 6768] 0307193C 000064 2a17300d a7057b2e 9f5c452c e2b795ff |*.0...{..\E,....|
[Thr 6768] 0307194C 000080 33f3a39f 57c3a039 1fb0c0dd 1c25416d |3...W..9.....%Am|
[Thr 6768] 0307195C 000096 fafa2ac6 ddc3c4f3 b4507205 f5332181 |..*......Pr..3!.|
[Thr 6768] 0307196C 000112 12bb6b77 2eba8afa 084e260f db56666f |..kw.....N&..Vfo|
[Thr 6768] 0307197C 000128 6811e524 1c9d315c 0a324594 1050b990 |h..$..1\.2E..P..|
[Thr 6768] 0307198C 000144 4fb501e7 4224449b 206368c5 969d3b7a |O...B$D. ch...;z|
[Thr 6768] 0307199C 000160 b0e220c8 01fa8b78 e7ae629e 7020b726 |.. ....x..b.p .&|
[Thr 6768] 030719AC 000176 bc0b4c60 82565941 9489134b cdf256e8 |..L`.VYA...K..V.|
[Thr 6768] 030719BC 000192 5e80f602 7d080dce 20ea88b4 7e7b690c |^...}... ...~{i.|
[Thr 6768] 030719CC 000208 4106caca 670aa222 4264014c 62dbfd21 |A...g.."Bd.Lb..!|
[Thr 6768] 030719DC 000224 7ef8388a 8f0ff98a 4e36e1d0 d99eb46f |~.8.....N6.....o|
[Thr 6768] 030719EC 000240 a4aa0d74 2f2a796d 8635fe94 7db1886f |...t/*ym.5..}..o|
[Thr 6768] -
[Thr 6768] IcmWriteToConn(id=0/6): prepared to write data to partner (len = 1372)
[Thr 6768] NiIWrite: write 1372, 1 packs, RAW_IO, hdl 10, data complete
[Thr 6768] IcmWriteToConn(id=0/6): wrote data to partner (len = 1372)
[Thr 6768] MPI<d>0#10 DiscardOutbuf l0 0 0 111868 0 0 -> 030718A8 0
[Thr 6768] NiIPeek: peek successful for hdl 11 / socket 131040 (r)
[Thr 6768] IcmReadFromPartner(id=0/6): read with maximum timeout 500
[Thr 6768] IcmReadFromPartner(id=0/6): request new MPI (0/0)
[Thr 6768] MPI<d>0#11 GetOutbuf -1 111868 65536 (0) -> 030718C8 0
[Thr 6768] IcmReadFromPartner(id=0/6): connection broken (len=0,0)
[Thr 6768] ConnPoolCloseNiHdl:
[Thr 6768]    Pool Entry: 0999C0D0:
[Thr 6768]    NI: 11, SSL: 00000000, allocated: 1, inuse: 1, desc: 08242DF0
[Thr 6768] NiICloseHandle: shutdown and close hdl 11 / socket 131040
[Thr 6768] IcmReadFromPartner(id=0/6): connection broken (buf_used=0)
[Thr 6768] PlugInStopConn: close connection
[Thr 6768] PlugInStopConn: shutdown backend connection
[Thr 6768] ConnPoolCloseNiHdl:
[Thr 6768]    Pool Entry: 0999C0D0:
[Thr 6768]    NI: -1, SSL: 00000000, allocated: 1, inuse: 1, desc: 08242DF0
[Thr 6768] IcrDetachFromServer: closing port 50001/1/0
[Thr 6768] IcmConnPoolFreeEntry: free conn pool entry 0999C0D0[0] in pool 08242D90 (nihdl=-1, ssl=00000000)
[Thr 6768] HTR: decrement load factor: 4000 -> 0 (d=4000)
[Thr 6768] ICR: IcrDetachFromServer -> 0
[Thr 6768] MPI<c>1#23 Close( 1 ) del=0 -> 0
[Thr 6768] MPI<c>1#25 Delete( 1 ) -> 0
[Thr 6768] MPI<c>1#24 Close( 1 ) del=1 -> 0
[Thr 6768] MPI<d>0#12 Close( 0 ) del=0 -> 0
[Thr 6768] MpiIFreeAllBuffers(): free 1120360
[Thr 6768] MPI<d>0#14 Delete( 0 ) -> 0
[Thr 6768] MPI<d>0#13 Close( 0 ) del=1 -> 0
[Thr 6768] NiICloseHandle: shutdown and close hdl 10 / socket 131032
[Thr 6768] IcmConnClose: Connection 0/6 closed
[Thr 6768] IcmConnFreeContext: context 0 released
[Thr 6768] IcmServDecrRefCount: IB2.SERV1.mydomain.com:44380 - serv_ref_count: 1
[Thr 6768] IcmWorkerThread: Thread 8: Waiting for event
[Thr 876] Tue Apr 01 12:38:19 2008
[Thr 876] NiIPeekListen: peek successful for hdl 4 / socket 131232 / socket -1
[Thr 876] SetQoS not possible, no QoS Provider available
[Thr 876] NiIInitSocket: set default settings for socket 131032
[Thr 876] NiIAccept: connect from: host 10.22.4.197, port C8.7C/51324, fam 2 (low adr..high adr)
[Thr 876] NiCreateHandle: state hdl 10 / socket 131032 NI_INITIAL
[Thr 876] nilh-localCheck: using local address list
[Thr 876] NiIAccept: took local port AD.5C/44380
[Thr 876] NiSetStat: state hdl 10 NI_CONNECTED
[Thr 876] NiIBlockMode: switch off block-mode for hdl 10 / socket 131032
[Thr 876] IcmExternalLogin: Connection request from Client received
[Thr 876] IcmConnCheckStoredClientConn: next client timeout check in 75 sec
[Thr 876] IcmServIncrRefCount: IB2.SERV1.mydomain.com:44380 - serv_ref_count: 2
[Thr 876] IcmQueueAppend: queuelen:     1
[Thr 7876] IcmWorkerThread: worker 9 got the semaphore
[Thr 876] IcmCreateRequest: Appended request 20
[Thr 7876] REQUEST:
    Type: ACCEPT CONNECTION    Index = 19
[Thr 876] IcmConnIntegrateServer: accepted connection from 10.22.4.197 on service 44380
[Thr 7876] CONNECTION (id=0/7):
    used: 1, role: 1, stateful: 0
    NI_HDL: 10, protocol: 16
    host: 10.22.4.197:44380
    status: NOP
    connect time: 01.04.2008 12:38:19
    MPI request:        <0>      MPI response:        <0>
    request_buf_size:   0        response_buf_size:   0
    request_buf_used:   0        response_buf_used:   0
    request_buf_offset: 0        response_buf_offset: 0
[Thr 7876] MPI:0 create pipe 02F60180 1
[Thr 7876] MPI<e>0#1 Open( ANONYMOUS 0 1 ) -> 0
[Thr 7876] MPI<e>0#2 Open( ANONYMOUS 0 0 ) -> 0
[Thr 7876] MPI:1 create pipe 02F60298 1
[Thr 7876] MPI<f>1#1 Open( ANONYMOUS 1 0 ) -> 1
[Thr 7876] MPI<f>1#2 Open( ANONYMOUS 1 1 ) -> 1
[Thr 7876] IcrHostStrToInt: hostname 10.22.4.197 = addr -989587958
[Thr 7876] RoutePlugInStartConn: Accepted connection from client: 10.22.4.197, -989587958
[Thr 7876] RoutePlugInStartConn: masked client ip: 10.22.0.0, 5642
[Thr 7876] IcrClientTabGetEntry: entry->key.client_ip: 5642, inst_name: J2EE2045300
[Thr 7876] RoutePlugInStartConn: tab entry for 10.22.4.197 found: instance->J2EE2045300
[Thr 7876] found matching port: prot=1 vhost=-1 port=50001 f=8
[Thr 7876] IcmIConnPoolAllocEntry: no unused entry for pool 08242D90 found (reuse conn: 0)
[Thr 7876] IcmIConnPoolAllocEntry: try to create new entry for pool 08242D90
[Thr 7876] IcmConnPoolAllocSlot: allocated entry 0999C0D0[0] of pool 08242D90
[Thr 7876] nihsl-getHostAddr: found hostname 'My.SAP.XI.System' in cache
[Thr 7876] nihsi-getHostAddr: hostname 'My.SAP.XI.System' = addr IP.of.My.SAP.XI.System
[Thr 7876] nihsi-getServNo: servicename '50001' = port C3.51/50001
[Thr 7876] NiCreateHandle: state hdl 11 / socket -1 NI_INITIAL
[Thr 7876] NiIBlockMode: switch off block-mode for hdl 11 / socket -1
[Thr 7876] NiLowLevCon: connect to: host IP.of.My.SAP.XI.System, port C3.51/50001, fam 2 (low adr..high adr)
[Thr 7876] NiIInitSocket: set default settings for socket 131024
[Thr 7876] NiISocket: hdl 11 got socket 131024
[Thr 7876] NiPConnect: connect in progress
[Thr 7876] SiPeekPendConn: connection of socket 131024 established
[Thr 7876] NiLowLevCon: took local port 06.9B/1691
[Thr 7876] nilh-localCheck: using local address list
[Thr 7876] NiSetStat: state hdl 11 NI_CONNECTED
[Thr 7876] IcmConnPoolConnect: Connection to host: My.SAP.XI.System, service: 50001 established (nihdl=11)
[Thr 7876] IcmConnPoolNewEntry: created new entry 0999C0D0[0] for pool 08242D90 (nihdl=11, ssl=00000000)
[Thr 7876] ICR: IcrAttachToServer('J2EE2045300' 1 4 1 port:50001/1/0) 0-> 0
[Thr 7876] RoutePlugInStartConn: routing 10.22.4.197 to destination J2EE2045300
[Thr 7876] IcmPlCheckRetVal: Next status: READ_REQUEST(1)
[Thr 7876] IcmReadFromConn(id=0/7): request new MPI (0/0)
[Thr 7876] MPI<e>0#3 GetOutbuf -1 111868 65536 (0) -> 030718C8 0
[Thr 7876] IcmReadFromConn(id=0/7): connection broken (len=0,0)
[Thr 7876] NiICloseHandle: shutdown and close hdl 10 / socket 131032
[Thr 7876] IcmReadFromConn(id=0/7): connection broken
[Thr 7876] PlugInStopConn: close connection
[Thr 7876] PlugInStopConn: shutdown backend connection
[Thr 7876] ConnPoolCloseNiHdl:
[Thr 7876]    Pool Entry: 0999C0D0:
[Thr 7876]    NI: 11, SSL: 00000000, allocated: 1, inuse: 1, desc: 08242DF0
[Thr 7876] NiICloseHandle: shutdown and close hdl 11 / socket 131024
[Thr 7876] IcrDetachFromServer: closing port 50001/1/0
[Thr 7876] IcmConnPoolFreeEntry: free conn pool entry 0999C0D0[0] in pool 08242D90 (nihdl=-1, ssl=00000000)
[Thr 7876] HTR: decrement load factor: 4000 -> 0 (d=4000)
[Thr 7876] ICR: IcrDetachFromServer -> 0
[Thr 7876] MPI<e>0#4 Close( 0 ) del=0 -> 0
[Thr 7876] MpiIFreeAllBuffers(): free 1120360
[Thr 7876] MPI<e>0#6 Delete( 0 ) -> 0
[Thr 7876] MPI<e>0#5 Close( 0 ) del=1 -> 0
[Thr 7876] MPI<f>1#3 Close( 1 ) del=0 -> 0
[Thr 7876] MPI<f>1#5 Delete( 1 ) -> 0
[Thr 7876] MPI<f>1#4 Close( 1 ) del=1 -> 0
[Thr 7876] IcmConnClose: Connection 0/7 closed
[Thr 7876] IcmConnFreeContext: context 0 released
[Thr 7876] IcmServDecrRefCount: IB2.SERV1.mydomain.com:44380 - serv_ref_count: 1
[Thr 7876] IcmWorkerThread: Thread 9: Waiting for event
We checked the J2EE logs on the XI server but we do not see any activity. Is the document making to XI or is this failing in SWD?
Thanks for the help.
PS Here is my SWD config:
Profile generated by sapwebdisp bootstrap
unique instance number
SAPSYSTEM = 5
add default directory settings
DIR_EXECUTABLE = .
DIR_INSTANCE = .
Accessibility of Message Servers
rdisp/mshost = MY.XI.SERVER.IP
ms/http_port = 8110
SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
configuration for default scenario (medium size)
icm/max_conn      = 500
icm/max_sockets   = 1024
icm/req_queue_len = 500
icm/min_threads   = 10
icm/max_threads   = 50
icm/conn_timeout = 60000
mpi/total_size_MB = 80
#maximum number of concurrent connections to one server
wdisp/HTTP/max_pooled_con = 500
wdisp/HTTPS/max_pooled_con = 500
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=ROUTER,PORT=44380,TIMEOUT=3000
icm/server_port_1 = PROT=HTTP,PORT=64000
icm/HTTPS/verify_client=0
SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt
Edited by: Joe Wright on Apr 1, 2008 7:51 PM

Hi
Did you check the connectivity i.e web dispatcher with any other system(LandScape).
For example CRM for FICO.
Thanks
Sukrut S

Reverse Proxy - Apache vs SAP Web Dispatcher

Hi,
my config consists in a portal (EP7.0 - DB/CI + AS) and an ECC system (ECC 6.0 - DB/CI + AS).
Web developments are based on Abap Web Dynpro and are also located on ECC.
To ensure load balancing there are 2 web dispatchers : one on EP DB/CI, one on ECC DB/CI.
Those 2 systems are located in intranet. Intranet access are realized via http.
Moreover I need to open this solution to internet. I need a component to filter access in DMZ and ensure reverse proxy + https functions.
Technical target chain links are depicted below.
internet access : browser (https) -
> (https) reverse proxy in DMZ (http) -
> IS (Portal/ECC)
intranet access : browser (http) -
> IS (portal/ECC)
At the moment two application gateway solutions have been identified :
Apache (MOD_PROXY + MOD_HTTPS) - My configuration is based on Linux
SAP Web Dispatcher ("cascading" implementation as described in OSS note 740234)
I'm looking for PROs and CONs of those 2 solutions and I'm also seeking for the impact of ensuring https encryption/decryption at the application gateway level ("a priori" this usage is not transparent in term of server sizing - CPU/memory, do I require to implement an SSL accelerator ?).
Regards.
Frederic.

Hi,
PRO Webdispatcher:
- Supports SAP Java + ABAP
- Loadbalancing of SAP applications (stateful)
- Supports load balancing (saplb_* cookie)
- Free of costs
- easy to set up (up & running in 2 minutes)
- Supports HA solutions out-of-the-box (process HA)
- Filter + Rules to modify the requests
CONS Webdispatcher
- not a full reverse proxy
- Limited functionality
- one more server/solution (normaly, a company already does have a reverse proxy solution in place)
- limited user base (only SAP customers)
PRO Apache
- free
- widly in use
- full reverse proxy
- allows more complex filtering / rewriting
- can be used for more web solutions, reuse of existing apache reverse proxy
CONS Apache
- does not support SAP load balancing (connection to the message server port for load distribution)
- can be more complex to set up
- SAP specific technology / problems are more harder to fix (ABAP, Stateful connections, sap_lb*)
Short: both will server well as a reverse proxy.
Rule of thumb: If you go for Apache or Web Dispatcher should mainly depend on you current IT landscape. If you already do have an apache in use, use Apache. You already have the people / knowledge, try to foster it .
If you start from scratch and have SAP Logon Groups or many WebDynpro ABAP applications, go for the Web Dispatcher.
br,
Tobias

Reverse Proxy in web dispatcher

Any statistic on which product is better / qualifies better to be used as a reverse proxy.. (& wherein generic (forward) proxy services can be disabled)
Web Dispatcher
Apache
Microsoft IIS
Any other product ?
Thanks,

Thanks !!!
> URL filtering: the Web Dispatcher 7.2 supports more than one SAP backend, but you should take a look into the confguration page at SAP Help to find out if it matches your future scenario.
I am looking for WD based on 7.3 for both the roles (Reverse proxy and load balancing). But I'll check if there is anything for me to be concerned about...
> looking at your scenario, you'll have at least 1 reverse proxy in your DMZ and the Web Dispatcher will be an additional reverse proxy (for internal and/or external access).
>
> The Web Dispatcher will be connected to the message server of the portal, so when a server/node goes down, the web dispatcher will be notified. That's a vantage over another reverse proxy.
Yes, we have one server reserved for reverse proxy software and another for load balancing (WD).. These two roles need to be on separate servers as per logistics requirement... So, is this what you are talking about..
User <> WD as reverse proxy on server1 <> WD for load balancing server2 <--> EP Message Server.

CRM_UI Reporting - HTTPS Terminating at Web Dispatcher or SSL all the way

Hi,
We need to set up access to crm_ui reports (leads and marketing mainly) in CRM 7.0 for vendors coming from the internet. The CRM server is in the internal network. In order for this to work I plan to setup the web-dispatcher in the application dmz. The initial login is going to be via the web dmz layer (using sun's iplanet server), which then routes the crm URL to the web dispatcher in the App dmz and then from the web dispatcher to CRM server.
One requirement from our security team is to set up the flow as HTTPS.
On going through SAP help I get the impression that it can be set up two ways, one, configuring web dispatcher to pass the SSL connection to backend, & two - configuring the web dispatcher to terminate SSL.
Seems the former is quite straight forward (from SAP online help we have to set the icm/server_port_<xx>> = PROT=ROUTER) but does it also require that we setup the crm_ui_frame service as SSL and activate the HTTPS service in ICM?
Or is it better to go via the second option (HTTPS termination) without changing the backend setup? SAP Online help lists steps to do the HTTPS termination but I have not come across any detailed documentation for the first method.
Any thoughts, suggestions will be helpful for either scenario.
Thanks,
Rommel Bhan

Thanks Martin the document helped.
Now the web dispatcher seems to talk to the HTTPS port on the backend.
However there is one issue I see in the dev_webdisp and was wondering if you have an insight.
Based on webdispatcher parameters, its taling to ms_https_port 8533 of backend
[Thr 773] Mon Feb 15 15:03:35 2010
[Thr 773] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 773] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 773]   secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 773] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 773] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
[Thr 773] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE"
[Thr 773] ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
[Thr 773] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
[Thr 773] << -
End of Secude-SSL Errorstack -
[Thr 773]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 773]   SSL NI-sock: local=10.104.146.81:62579 peer=10.104.146.81:8533
[Thr 773] <<- ERROR: SapSSLSessionStart(sssl_hdl=110acb850)==SSSLERR_SSL_CONNECT
[Thr 773] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1911]
[Thr 773] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx_mt.c   5976]
[Thr 773] *** ERROR => Could not connect to SAP Message Server at sapcms02. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c   3289]
[Thr 773] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c   3290]
[Thr 773] *** ERROR => see also SAP note 552286 [icrxx_mt.c   3291]
My backend is setup with SSL and web dispatcher is set to the following. Also since the backend and sapweb dispatcher are on the same host, using the same sidadm, the SSL stuff is on one location. I generated the SAPSSLS.pse in the backend using STRUST
Accessibility of Message Servers
rdisp/mshost = sapcms02
ms/http_port = 8100
ms/https_port = 8533
wdisp/server_info_protocol = https
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=ROUTER,PORT=60000
icm/server_port_1 = PROT=HTTPS,PORT=0
icm/server_port_2 = PROT=HTTP,PORT=8080 <-- web dispatcher admin port
#SSL parameters similar to one in backend
ssf/ssfapi_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
sec/libsapsecu = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
ssf/name = SAPSECULIB
ssl/ssl_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
ssl/server_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLS.pse
ssl/client_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLC.pse

Portal and web dispatcher

Please i need your help, i´am new in this and i´am trying to run the portal on internet with the web dispatcher, i already get the wd work, and i can see the admin page.
I have de wd running on a web server (saphost1) in standalone mode,(when i configured the wd i gave the portal message server port, and the name of the host in which the portal is running), and the portal running in other server (saphost2) in an ABAP+JAVA WebAS,
i want to access the portal through the wd but i don´t know how to do that (redirect the url from saphost1:/irj/portal) , i searched in the docs but i haven´t found something.
Please help me i really need to get this done the sooner as possible
Thanks
Coatl

Hi Martin!!!
Thank you very much, that was just what i was looking for. i have another doubt, i done everything that the SAP Library says, but when i try to display the portal, i get the next error:
500 Dispatching Error
Error: -26
Version: 7000
Component: HTTP_ROUTE
Date/Time: Wed Feb 14 12:46:58 2007
Module: http_route.c
Line: 3122
Server: acsservicios__00
Error Tag:
Detail: no valid destination server available for '!ALL' rc=13
In the sapwebdisp.pfl i have the next values:
Profile generated by sapwebdisp bootstrap
unique instance number
SAPSYSTEM = 6
add default directory settings
DIR_EXECUTABLE = .
DIR_INSTANCE = .
Accessibility of Message Servers
rdisp/mshost = acslobot.advanced.local
ms/http_port = 8106
use static description files for logon groups: group info
wdisp/group_info_location = file:
icrgroups.txt
use static description files for logon groups: url prefixes
wdisp/url_map_location = file:
urlinfo.txt
#maximum number of concurrent connections to one server
wdisp/HTTP/max_pooled_con = 500
wdisp/server_info_location = file:
C:\SAPWebDisp\icrgroups.txt
wdisp/HTTPS/max_pooled_con = 500
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=8006
SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/icm/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt
icm/HTTP/redirect_0 = PREFIX=/, TO=/irj/portal
when i aces to de address: <webdisphost>:8006/...i get the mentioned error, where 8006 is the port where the wd listen, but when i try to aces the url <webdisphost>:8006 it says that the page cant be found
What can be grown with my configuration....please need your help
Coatl

How to use Web Dispatcher in XI

XI receives some messages and passes them onto CRM for processing. The user ID that is used between XI & CRM communication of Service user type.Due to this reason, this user has consumed the dialog processes available during the process.The error seems to indicate that the load was too heavy and that the system ran out of memory blocks reserved for XI to CRM communication. There are 2 application servers for CRM, in addition to the central instance.We can use the web-dispatcher in XI (instead of a particular Application instance).
Web dispatcher will then assign the message to the available application instance.
The question is How do we Use Web Dispatcher in XI with respect to this scenario??
Can anybody put light on this issue.

Have a look here
http://help.sap.com/saphelp_nw70/helpdata/en/43/39c7b227b91bcbe10000000a1553f7/frameset.htm
Regards,
Prateek

WebAS access via Portal: Web Dispatcher required for load balancing ABAP

Hi Folks -
We have EP 6.0 SP18 (Java only, WebAS 6.40, Unix/Solaris). The portal has a CI/SCS and one DI so we have a Web Dispatcher to load balance the portal servers. This works fine (and provides port 80 access).
This portal will provide access to HTTP services from an ABAP WebAS (6.20 with 6.40 kernel, Unix/Solaris). A landscape configuration entry has been added to the portal for this ABAP system. The ABAP system has a CI and multiple app servers, all capable of handling HTTP requests. This will also require port 80 access.
1. Will we need an additional Web Dispatcher to load balance HTTP requests to the 'backend' ABAP WebAS system, or will the portal be smart enough to handle the load balancing itself (perhaps based on the information in the landscape configuration)?
2. If the portal itself handles the HTTP load balancing can you point me to documentation (so I can make sure I have proper configuration)?
3. Are there any changes to this with NW2004s Portal (we plan to upgrade soon)?
Thanks in advance! Jeff

Jeff,
Regarding:
Q1. If you create a system object from the "SAP system with load balancing" template in portal and configure the object to point to your CI (msg server), the LB should be handled.
Q2. Portal load balancing is handled by the message server. If you point a test URL to the port of your message server, you will notice that you are issued a redirect the URL of your dialog instance. The web dispatcher is just a proxy (with some intelligence). When a request is made to the WD, it makes a connection to the MSG server, the list of active instances is queried, a redirect is made to that instanct. If you use WD, that connection can be proxied behind a standard URL. If you connect directly to the MSG Server instead, you will notice your URL change, just as it does on the service marketplace.
WDs are good for providing services, masked (proxied) behind virtual names. If you do not want the customer to see a physical URL of the server, use the WD. There are lots of other solutions that can do this too though such as Apache, ISA, Juniper devices, Cisco LDs. WDs have a very low performance threshold though, especially if you use SSL. WD is a performance bottleneck and should be benchmarked to see if it is right for your application.
Q3. No changes this architecture in 04s.
jwise

Error when configuring Web Dispatcher for SSL with Enterprise Portal

We are in the process of configuring the Web Dispatcher using SSL to connect to our Enterprise Portal (the Web Dispatcher will be in the DMZ). We have followed all of the help.sap.com guides and now have SSL listening on the EP side (port 8103). We are now receiving this strange certificate error when we start the Web Dispatcher:
[Thr 5332] Tue Mar 20 00:36:23 2007
[Thr 5332]   MatchTargetName("<FULLY QUALIFIED HOSTNAME>", "CN=XXX, OU=XXX, O=XXXX, C=XX") FAILS
[Thr 5332]   SSL socket: local=<IPADDRESS>:4742 peer=<IPADDRESS>:8103
[Thr 5332] <<- ERROR: SapSSLSessionStart(sssl_hdl=009D7670)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 5332] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn.c 2005]
[Thr 5332] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c      4919]
[Thr 5332] *** ERROR => Could not connect to SAP Message Server at <FULLY QUALIFIED HOST NAME>. URL=/msgserver/text/logon?version=1.2 [icrxx.c      2301]
[Thr 5332] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c      2302]
[Thr 5332] *** ERROR => see also OSS note 552286 [icrxx.c      2303]
We have gone through the trouble shooting note 552286 as listed in the error above. Any assistance is appreciated.

Hello, did you receive any resolution for this problem? We are receiving a similar error and I am unsure of how to resolve.

Error in Web Dispatcher

Hello,
SAP web dispatcher is down.
Log dev_sapwebdisp:
Thr 11068] Mon Jun 08 11:56:35 2009
[Thr 11068] *** ERROR => no valid destination server available for '!J2EE' rc=13 [http_route.c 3126]
[Thr 11068] *** WARNING => redirect failed request to foreign destination '!ALL' [http_route.c 3146]
[Thr 11068] *** WARNING => original destination was '!J2EE' [http_route.c 3149]
[Thr 11068] *** ERROR => no valid destination server available for '!ALL' rc=14 [http_route.c 3126]
[Thr 11068] *** WARNING => redirect failed request to foreign destination '!ALL' [http_route.c 3146]
[Thr 11068] *** WARNING => original destination was '!ALL'
Thanks.

I am very happy to know it, thank you !
That's is funny, you got a wicked sense of humor!
Is there a question in your message ?
I am sorry, is this twitter, where you just blog your updates? No! this a forum where you come if you have problems. Sometimes, you are over burdened with problems and you forget to mention "Please help" or any other obligatory line, requesting a solution. But any considerate person with even half a brain should understand that.
It's a very commonplace mistake and you exactly know that I have a problem and I am seeking help here.
Instead of trying to act over-smart and arrogant, you could have easily ignored the post and moved on.
If you want answers, you should learn how to post questions on a forum...
You may be an administrator/moderator here, Sir, but you lack the very basic skills of humility and understanding.

How to create a system object in portal that points to a web dispatcher

Hi,
How do we create a system object in the portal for a web dispatcher? The web dispatcher in turn points to an ECC system. The path for communication is EP>Web Dispatcher>ECC
Regards,
Sridevi

Hi,
Connection test for the following succeeded:
1. SAP Web AS Connection
Test Details:
The test consists of the following steps:
1. Checks the validity of system ID in the system object.
2. Checks if the system can be retrieved from the PCD.
3. Check whether a SAP system is defined in the system object
4. Validate the following parameters: WAS protocol; WAS host name
5. Checks if the host name of the server can be resolved.
6. Pings the WAS ping service; works only if the service is activated on the ABAP WAS.
7. Checks HTTP/S connectivity to the defined back-end application
Results
1. The system ID is valid
2. The system was retrieved.
3. The system object represents an SAP system
4. The following parameters are valid: Web AS Protocol (http) Web AS Host Name (mtw02spwp02:80)
5. The host name mtw02spwp02 was resolved successfully.
6. The Web AS ping service http://mtw02spwp02:80/sap/bc/ping was not pinged successfully. If the ping service is not activated on the Web AS, you can try to call the ping service manually.
7. An HTTP/S connection to http://mtw02spwp02:80/sap/bc/bsp/sap was obtained successfully.
2. ITS Connection
Test Details:
The test consists of the following steps:
1. Checks the validity of system ID in the system object.
2. Checks if the system can be retrieved from the PCD.
3. Check whether the system object has a valid system alias
4. Check whether a SAP system is defined in the system object
5. Validate the following parameters: ITS protocol; ITS host name
6. Checks if the host name of the server can be resolved.
7. Checks HTTP/S connectivity to the defined back-end application
Results
1. The system ID is valid
2. The system was retrieved.
3. Retrieval of the default alias was successful
4. The system object represents an SAP system
5. The following parameters are valid: ITS Protocol (http) ITS Host Name (mtw02spwp02:80)
6. The host name mtw02spwp02 was resolved successfully.
7. An HTTP/S connection to http://mtw02spwp02:80/sap/bc/gui/sap/its/webgui was obtained successfully.
Next test for SSO failed:
Test Connection with Connector
Test Details:
The test consists of the following steps:
1. Retrieve the default alias of the system
2. Check the connection to the backend application using the connector defined in this system object
Results
Retrieval of default alias successful
Connection failed. Make sure that Single Sign-On is configured correctly
Regards,
Sridevi

SAP Web Dispatcher Configuration in a FPN

Hi all,
We are using SAP Web Dispatcher 720 (latest patch 85).
We are having a FPN network. One consumer portal, with more than 5 producer portal (ECC JAVA, BW JAVA..etc) and more than 5 different backends (ECC, BW, SRM..etc)
We are using SSL termination at the web dispatcher.
We have configured all our consumer, producer, backends in our web dispatcher instance, to use the domain name with different ports.
Eg :
https://domainname.com - refers to our consumer portal
https://domainname.com:7110 - refers to our producer portal 1
https://domainname.com:7111 - refers to our producer portal 2
https://domainname.com:6100 - refers to our ABAP backend system 1
https://domainname.com:6111 - refers to our ABAP backend system 2 ..etc..,
by configuring so, we are facing lots of page not found issue intermittenly, as SAPlb cookies are passed incorrectly, since all refers to the same domain name (it ignores the different ports).
Can someone helps us to narrate how to configure web dispatcher which suites our FPN network. We can't go for different URLs for each system, as it requires more than 16 URLs and 16 web dispatcher instances.
Can someone share their experience
Thanks & Regards
Senthil

Hello Ravi,
Try to include directory 'admin' within directory
'sapwebdisp'.
You can let sapwebdisp create a sapwebdisp.pfl on your
behalf with option '-bootstrap'.
You will see the password for user 'icmadm'.
and this line
"icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin"
Then you use URL
'http://sapwedisphost:<xxxx>/sap/wdisp/admin/default.html'
See this documentation in
'http://help.sap.com/saphelp_nw04/helpdata/en/b4/9aa8862e714e6db8e74e48e5d3283b/frameset.htm'
(specially topic "Monitoring ..."
Kind Regards,
Toni

Web dispatcher upgradation document from netweaver 7.0 to 7.1

hi guys,
           I need web dispatcher upgradation document.i didn't get document in service market place and sdn.So please tell that document site.

Hi Srinivas,
If you are looking for Web Dispatcher patch upgradation..here is the procedure
Download SAP Web Dispatcher latest version based on your OS.
1) This is available on SAP Service Marketplace at http://service.sap.com/patches:
                    Support Packages and Patches
                    -> Entry by Application Group
                    -> Additional Components
                    -> SAP Kernel
                    -> SAP Kernel 32 Bit or SAP Kernel 64 Bit
                    -> SAP Kernel 7.00 nn Bit
                    -> Operating system platform
                    -> "Database independent
                    The package is called sapwebdisp_<.....>.sar
2) Shutdown your SAP system and take the kernel backup.
3) Uncar the file sapwebdisp_<....>.sar and copy the content to the kernel directory
4) Start the SAP system
Check Note 538405 - Composite SAP Note: SAP Web Dispatcher
Please close the thread if this answers your question.
Thanks,
Sridhar

Web Dispatcher SWD IP Filtering

Similar Messages

Maybe you are looking for