Table of Contents:

1. 2. 3. 4. 5. Purpose . 1 What is Web dispatcher? ...................................................... 1 What are the functions of SAP Web dispatcher? 2 Architecture of the SAP Web Dispatcher ..... 2 Server Selection and Load Balancing Using the SAP Web Dispatcher
5.1. 5.2. Server Selection ..... 3 Load Balancing ....... 5

6.

Configuring the SAP Web Dispatcher to Support SSL

6.1. 6.2. 6.3. Passing the SSL Connection ... 6 Terminating the SSL Connection . 6 Procedure
6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL Connection to the Backend Server ..........7 6.3.2. Configuring the SAP Web Dispatcher to Terminate The SSL Connection .....

6.4.

Pros and cons of End-to-End SSL / SSL-Termination

6.4.1. Web Dispatcher in End-To-End SSL mode

11

6.4.2. Web Dispatcher in SSL Termination mode .... 12

7.

Key points .... 12

1. Purpose:
This paper is intended to introduce Web Dispatcher and give detailed information on the associated advantages, implementation scenarios and SSL options. In general, below are the few questions those arise from the customer when they are looking towards protection / load balancing of an SAP system. What is SAP Web dispatcher? What are the functions of SAP Web dispatcher? Is it technically possible to have a single Web Dispatcher instance to support multiple backend systems? How to use the SAP Web Dispatcher to distribute workload across the different instances of an SAP system? How to configure the SAP Web Dispatcher to Support SSL?

2. What is Web dispatcher?

Just assume that your company offers its customers browser-based access to data from SAP systems. Technically, the Web applications in ABAP and Java are implemented on the SAP NetWeaver AS. Since a very large number of your customers use this service, your SAP system, which is connected to the Internet, has multiple instances. In this scenario how will you implement load distribution across the different instances of this SAP system? Answer is very simple: Web dispatcher. The SAP Web Dispatcher is an application-level gateway for HTTP requests to an SAP Web Application Server. The SAP Web Dispatcher is used as a software Web switch between the Internet and an SAP System. The SAP Web Dispatcher consists of one or more Web Application Servers. As a result, you have only one point of access for HTTP(S) requests in your system. In addition, the SAP Web Dispatcher balances the load so that the request is always sent to the server with the highest capacity. Please note that apart from web dispatcher, web requests can also be distributed through message server or ICM. However, these have only limited functionality and some disadvantages and is therefore not recommended by SAP. SAP web dispatcher is the SAP recommended process/method of distributing web requests as it has some advantages and additional functionality

3. What are the functions of SAP Web dispatcher?

Distribution of requests to both ABAP and Java application instances Denial of unwanted requests (i.e. Request filtering) Buffering of web requests Ensures that customers can access the SAP system via one address Provides security as it runs in DMZ (Demilitarized zone) Handles distribution of both http and https requests.

4. Architecture of the SAP Web Dispatcher:

The SAP Web dispatcher is located between the Web client (browser) and your SAP system that is running the Web application.

SAP web dispatcher forwards the incoming requests (HTTP, HTTPS) in turn to the SAP Web AS of the SAP system. The number of requests that are sent to a Web AS ABAP depends on its capacity, which depends on the number of configured dialog work processes. The capacity of a Web AS Java depends on the number of Server Processes. If the application is stateful, the SAP Web dispatcher ensures that with the next request, the user is forwarded to the server that is processing his or her application. To do this, it uses the session cookie with HTTP connections, and the client IP address with end-to-end SSL. Furthermore, the SAP Web dispatcher decides whether the incoming request should be forwarded to an ABAP or Java server.

5. Server Selection and Load Balancing Using the SAP Web Dispatcher:

5.1. Server Selection:

The SAP Web Dispatcher forwards each incoming HTTP(S) request to an appropriate SAP NW Application Server for processing, as illustrated in the following graphic.

Process Flow:

The SAP Web Dispatcher first checks whether the request is an ABAP or J2EE request. This distinction is based on the analysis of the URL prefix. For the URL http://portal.mindtree.com/A/B/C/Default.html, the prefix to be analyzed is the character string /A/B/C/. If this prefix is known in the ICF, this is an ABAP request. If the URL contains only one forward slash (/) after the host name, special handling is required: The value of the profile parameter is/HTTP/default_root_hdl determines the destination. In the case of an ABAP request, the SAP Web Dispatcher first uses a cookie to identify whether the request concerns a stateful application. If this exists, the decision is simple. The request is sent to the application server that is processing this session.For a stateless application, the internal group !DIAG is selected, which consists of all ABAP application servers. This is used only if a

logon group (maintained with transaction SMLG) is inherited or specified explicitly in the ICF service. AS Java also recognizes the concept of logon groups. If a specific logon group has not been configured for the prefix of the Java request called, the SAP Web Dispatcher uses the internal group !J2EE. In the case of a stateful application, this is indicated through the session information in the URL or a load-balancing cookie. For compatibility reasons, the session cookie jsessionid can also still be used here. The SAP Web Dispatcher obtains information about the logon groups and URL mapping from an ABAP application server via HTTP or HTTPS. For this to happen, the services /sap/public/icman and /sap/public/icf_info/* must be activated in the ICF.

5.2. Load Balancing:

One of the basic functionality of web dispatcher is that, it can help to balance the load between the application servers. Web Dispatcher does not establish connectivity directly with the application servers, rather it will establish the connectivity to Message Server to ensure the load is balanced across application servers. The SAP Web Dispatcher obtains information about the application servers of the SAP system from the message server via HTTP(S). You can use the SAP Web Dispatcher in pure ABAP systems as well as in combined ABAP + Java systems and pure Java systems. In this way, the installation option determines the message server with which the SAP Web Dispatcher communicates.

6. Configuring the SAP Web Dispatcher to Support SSL:

If you are using a stand-alone SAP Web Dispatcher in front of the SAP Web AS, then use the procedures below to configure the SAP Web Dispatcher to support SSL. The SAP Web Dispatcher can either pass the SSL connection to the server in the backend, or it can terminate the SSL connection. See the graphics below.

6.1. Passing the SSL Connection:

6.2. Terminating the SSL Connection:

6.3. Procedure:
6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL Connection to the Backend Server:

If the SAP Web Dispatcher is to pass the SSL connection to the server in the backend, then, in addition to the standard parameters, set the following profile parameter in the SAP Web Dispatchers profile:
icm/server_port_<xx>=PROT=ROUTER,PORT=<port>,TIMEOUT=<timeout_in_seconds>

6.3.2. Configuring the SAP Web Dispatcher to Terminate the SSL Connection
If the SAP Web Dispatcher is to terminate the SSL connection, then it must possess a security environment. To set up this security environment, perform the following: A. Install the SAP Cryptographic Library on the SAP Web Dispatcher. Download the SAP Cryptographic software from the market place, UNCAR the files using SAPCAR. Extract the contents of the SAP Cryptographic Library installation package. Copy the library file and the configuration tool sapgenpse.exe to a local directory, for example, the directory where the SAP Web Dispatcher is located. For this documentation, we will use the directory C:\Program Files\SAP\SAPWebDisp. Check the file permissions for the SAP Cryptographic Library. If, for example, you copied the library to its location using ftp on UNIX, then the file permissions may not be set correctly. Make sure that the user that runs the SAP Web Dispatcher is able to execute the library's functions. Create a sub-directory called sec and copy the ticket file to this directory. This is also the directory where the SAP Web Dispatchers PSEs and credentials are to be located. Location of the SAP Cryptographic Library C:\Program Files\SAP\SAPWebDisp\sapcrypto.dll

Location of the Configuration Tool sapgenpse C:\Program Files\SAP\SAPWebDisp\sapgenpse.exe Location of the License Ticket C:\Program Files\SAP\SAPWebDisp\sec\ticket

B. Set the profile parameters. Make the below entries in the instance profile: --------------------------------------------------------------------------------SAPSYSTEMNAME # can be created. # The number must be different from the other SAP instances # on the host. SAPSYSTEM = 26 # Set DIR_INSTANCE so that the SAP Cryptographic Library can # find the sec sub-directory. DIR_INSTANCE = C:\Program Files\SAP\SAPWebDisp # Message Server Description rdisp/mshost = xyzmain ms/http_port = 8000 ms/https_port = 443 # Description of the Access Points icm/server_port_0 = PROT=HTTP, PORT=1081, TIMEOUT=900 icm/server_port_1 = PROT=HTTPS, PORT=443, TIMEOUT=900 icm/HTTPS/verify_client = 0 # Parameters for the SAP Cryptographic Library ssl/ssl_lib = C:\Program Files\SAP\SAPWebDisp\sapcrypto.dll ssl/server_pse = C:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse # Parameters for Using SSL to the backend server wdisp/ssl_encrypt = 2 wdisp/ssl_auth = 2 wdisp/ssl_cred = SAPSSLC.pse wdisp/ssl_certhost = www.test.com = XYZ # SAPSYSTEM must be set so that the shared memory areas

---------------------------------------------------------------------------------

C. Create the SAP Web Dispatchers PSE(s) and certificate request(s). i. Creating the SAP Web Dispatchers PSEs Using the Trust Manager To create each PSE (SSL server PSE and SSL client PSE), using the trust manager: Start the trust manager (transaction STRUST). Using the context menu for the File node, choose Create (RSA). The Create PSE dialog appears. Enter the Distinguished Name parts in the corresponding fields according to your CAs naming convention. Save the PSE to local file (for example, the Web Dispatchers SECUDIR directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively. Creating the SAP Web Dispatchers PSEs and Certificate Requests Using SAPGENPSE As an alternative, you can use the configuration tool sapgenpse to create the SAP Web Dispatchers PSEs. Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, then set it using the command line as shown below. set SECUDIR=<SECUDIR_directory> Use the tools command get_pse as shown below to create the SAP Web Dispatchers PSE. sapgenpse get_pse <additional_options> -p <PSE_Name> r <cert_req_file_name> -x <PIN> <Distinguished_Name> Where: -p: Path and file name for the PSE.If the complete path is not included, then the PSE file is created in the SECUDIR directory. -r: File name for the certificate request -x: PIN that protects the PSE

ii.

D. Send the certificate request(s) to a CA to be signed. For each certificate request that you created, send the contents of the certificate request to your CA. The CA will validate the information contained in the certificate request (according to its own policy) and return a response that contains the signed public-key certificate. E. Import the certificate request response(s) into the PSE. i. Importing the Certificate Request Response Using the Trust Manager If you used the trust manager to create the SAP Web Dispatchers PSE, then you can easily use it again to import the certificate request response. For each of the PSEs that you created, perform the following: If the certificate request dialog is still open, then close it. If the SAP Web Dispatchers PSE is not loaded in the PSE maintenance section, then load it by selecting the File node with a double-click and selecting the PSE from the file system. In the PSE maintenance section, choose Import Cert. Response. The dialog for the certificate response appears. Insert the contents of the certificate request response into the dialogs text box either using Copy&Paste or by loading the file from the file system.The signed public-key certificate is imported into the SAP Web Dispatchers PSE, which is displayed in the PSE maintenance section. You can view the certificate by selecting it with a double-click. The certificate information is then shown in the certificate maintenance section. Create a PIN for the PSE. Importing the Certificate Request Response Using SAPGENPSE As an alternative, you can use the configuration tool sapgenpse to import the certificate request response into the PSEs. Use the tools command import_own_cert as shown below.
sapgenpse import_own_cert <Additional_options> <Cert_file> [-r <RootCA_cert_file>] -x <PIN> -p <PSE_file> -c

ii.

Where -p: Path and file name of the PSE. -c: Path and file name of the certificate request respons -r: File containing the CAs root certificate -x: PIN that protects the PSE
10

F. Create credentials for the SAP Web Dispatcher. Use the following command line to open each PSE and create credentials. sapgenpse seclogin <additional options> -p <PSE_Name> -x <PIN> -O [<Windows_Domain>\]<user_ID> Where: -p: Path and file name for the PSE. -x: PIN that protects the PSE -O: User for which the credentials are created. (The user that runs the SAP Web Dispatcher process.) G. Restart the SAP Web Dispatcher. H. Test the connection. Start a BSP using an HTTPS connection to your SAP Web Dispatcher and the corresponding SSL port. If your Web browser cannot completely verify the SAP Web Dispatcher's public-key certificate, then you will receive a dialog that states the reason why. For example, if your Web browser does not possess the issuing CA's root certificate as a trusted root certificate, then you are informed and can choose to trust the server at this time. If you trust the server's certificate (either automatically or manually), then the next step is to authenticate yourself. If your authentication was successful, the BSP appears.

6.4. Pros and cons of End-to-End SSL / SSL-Termination:

SSL is required in case of any need to protect the business data such as user credentials (e.g. passwords) and data security. It basically encrypts entire communication between browser and server.

6.4.1. Web Dispatcher in End-To-End SSL mode:

Pro : Client authentication with X.509 certificates End-to-End data security Load balancer is "untrusted" component Contra : Persistence based on client IP address only Load balancing problems : Proxies End of Session
11

IP Address based persistence usually OK in internet No logon groups No distinction between J2EE and ABAP applications

6.4.2. Web Dispatcher in SSL Termination mode :

Pro : Persistence based on application session ID Logon groups Detection of application type (ABAP/J2EE), select correct server Request parsing and URL filtering SSL re-encryption is possible

Contra : Harder to configure Web Dispatcher becomes "trusted component" (secure channel to WebAS needed) Make sure Web Dispatcher does not become performance bottleneck as it needs higher CPU capacity

7. Key points:
We have various scenarios that can be used while implementing Web Dispatcher, the scenario to be chosen comes down to one's requirement of security, performance, cost, effort, etc., Some of the interesting facts about web dispatcher are listed below. Web Dispatcher is a software load balancer and application layer gateway for SAP Web AS Web Dispatcher is not a reverse proxy, not meant to be. As of Netweaver 7.2, it is possible to have single web dispatcher to cater to multiple backend systems, NW 7.2 based Web Dispatcher is backward compatible and supports up to 6.10 Both End-to-End SSL and SSL Termination are available, SSL options to be chosen based on the requirement and by carefully analyzing the hardware and cost involved in setting up the chosen SSL option It is recommended to perform the sizing exercise with the realistic inputs No additional cost involved for license, Web Dispatcher is delivered at free of cost (part of Web AS)

12