Table of Contents: 1. Purpose …………………………………………………………. 1 2. What is Web dispatcher? ...................................................... 1 3. What are the functions of SAP Web dispatcher? …………… 2 4. Architecture of the SAP Web Dispatcher …………………..... 2 5. Server Selection and Load Balancing Using the SAP Web Dispatcher 5.1. Server Selection …………………………………………..... 3 5.2. Load Balancing …………………………………………....... 5 6. Configuring the SAP Web Dispatcher to Support SSL 6.1. Passing the SSL Connection ……………………………...… 6 6.2. Terminating the SSL Connection ……………………………. 6 6.3. Procedure 6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL Connection to the Backend Server ………………..........7 6.3.2. Configuring the SAP Web Dispatcher to Terminate The SSL Connection …………………………....……. 7 6.4. Pros and cons of End-to-End SSL / SSL-Termination 6.4.1. Web Dispatcher in End-To-End SSL mode ……………… 11 6.4.2. Web Dispatcher in SSL Termination mode ………...……. 12 7. Key points …………………………………………………...…. 12
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Table of Contents:
1. Purpose …………………………………………………………. 1
2. What is Web dispatcher? ...................................................... 1
3. What are the functions of SAP Web dispatcher? …………… 2
4. Architecture of the SAP Web Dispatcher …………………..... 2
5. Server Selection and Load Balancing Using the SAP
Web Dispatcher
5.1. Server Selection …………………………………………..... 3
5.2. Load Balancing …………………………………………....... 5
6. Configuring the SAP Web Dispatcher to Support SSL
6.1. Passing the SSL Connection ……………………………...… 6
6.2. Terminating the SSL Connection ……………………………. 6
6.3. Procedure
6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL
Connection to the Backend Server ………………..........7
6.3.2. Configuring the SAP Web Dispatcher to Terminate
The SSL Connection …………………………....……. 7
6.4. Pros and cons of End-to-End SSL / SSL-Termination
6.4.1. Web Dispatcher in End-To-End SSL mode ……………… 11
6.4.2. Web Dispatcher in SSL Termination mode ………...……. 12
7. Key points …………………………………………………...…. 12
1
1. Purpose:
This paper is intended to introduce Web Dispatcher and give detailed
information on the associated advantages, implementation scenarios and SSL
options.
In general, below are the few questions those arise from the customer when
they are looking towards protection / load balancing of an SAP system.
What is SAP Web dispatcher?
What are the functions of SAP Web dispatcher?
Is it technically possible to have a single Web Dispatcher instance to support
multiple backend systems?
How to use the SAP Web Dispatcher to distribute workload across the different
instances of an SAP system?
How to configure the SAP Web Dispatcher to Support SSL?
2. What is Web dispatcher?
Just assume that your company offers its customers browser-based access
to data from SAP systems. Technically, the Web applications in ABAP and Java
are implemented on the SAP NetWeaver AS. Since a very large number of your
customers use this service, your SAP system, which is connected to the Internet,
has multiple instances. In this scenario how will you implement load distribution
across the different instances of this SAP system? Answer is very simple: Web
dispatcher.
The SAP Web Dispatcher is an application-level gateway for HTTP requests
to an SAP Web Application Server. The SAP Web Dispatcher is used as a software
Web switch between the Internet and an SAP System. The SAP Web Dispatcher
consists of one or more Web Application Servers. As a result, you have only one
point of access for HTTP(S) requests in your system. In addition, the SAP Web
Dispatcher balances the load so that the request is always sent to the server with
the highest capacity.
Please note that apart from web dispatcher, web requests can also be
distributed through message server or ICM. However, these have only limited
functionality and some disadvantages and is therefore not recommended by SAP.
SAP web dispatcher is the SAP recommended process/method of
distributing web requests as it has some advantages and additional functionality
2
3. What are the functions of SAP Web dispatcher?
Distribution of requests to both ABAP and Java application instances
Denial of unwanted requests (i.e. Request filtering)
Buffering of web requests
Ensures that customers can access the SAP system via one address
Provides security as it runs in DMZ (Demilitarized zone)
Handles distribution of both http and https requests.
4. Architecture of the SAP Web Dispatcher:
The SAP Web dispatcher is located between the Web client (browser) and your
SAP system that is running the Web application.
3
SAP web dispatcher forwards the incoming requests (HTTP, HTTPS) in turn to
the SAP Web AS of the SAP system. The number of requests that are sent to a
Web AS ABAP depends on its capacity, which depends on the number of
configured dialog work processes. The capacity of a Web AS Java depends on the
number of Server Processes. If the application is stateful, the SAP Web dispatcher
ensures that with the next request, the user is forwarded to the server that is
processing his or her application. To do this, it uses the session cookie with HTTP
connections, and the client IP address with end-to-end SSL.
Furthermore, the SAP Web dispatcher decides whether the incoming request
should be forwarded to an ABAP or Java server.
5. Server Selection and Load Balancing Using the SAP
Web Dispatcher:
5.1. Server Selection:
The SAP Web Dispatcher forwards each incoming HTTP(S) request to an
appropriate SAP NW Application Server for processing, as illustrated in the
following graphic.
4
Process Flow:
● The SAP Web Dispatcher first checks whether the request is an ABAP or J2EE
request. This distinction is based on the analysis of the URL prefix. For the URL
http://portal.mindtree.com/A/B/C/Default.html, the prefix to be analyzed is the
character string /A/B/C/. If this prefix is known in the ICF, this is an ABAP
request. If the URL contains only one forward slash (/) after the host name,
special handling is required: The value of the profile parameter
is/HTTP/default_root_hdl determines the destination.
● In the case of an ABAP request, the SAP Web Dispatcher first uses a cookie to
identify whether the request concerns a stateful application. If this exists, the
decision is simple. The request is sent to the application server that is
processing this session.For a stateless application, the internal group !DIAG is
selected, which consists of all ABAP application servers. This is used only if a
5
logon group (maintained with transaction SMLG) is inherited or specified
explicitly in the ICF service.
● AS Java also recognizes the concept of logon groups. If a specific logon group
has not been configured for the prefix of the Java request called, the SAP Web
Dispatcher uses the internal group !J2EE. In the case of a stateful application,
this is indicated through the session information in the URL or a load-balancing
cookie. For compatibility reasons, the session cookie jsessionid can also still
be used here.
● The SAP Web Dispatcher obtains information about the logon groups and URL
mapping from an ABAP application server via HTTP or HTTPS. For this to
happen, the services /sap/public/icman and /sap/public/icf_info/* must be
activated in the ICF.
5.2. Load Balancing:
One of the basic functionality of web dispatcher is that, it can help to balance
the load between the application servers. Web Dispatcher does not establish
connectivity directly with the application servers, rather it will establish the
connectivity to Message Server to ensure the load is balanced across application
servers.
The SAP Web Dispatcher obtains information about the application servers
of the SAP system from the message server via HTTP(S). You can use the SAP
Web Dispatcher in pure ABAP systems as well as in combined ABAP + Java
systems and pure Java systems. In this way, the installation option determines the
message server with which the SAP Web Dispatcher communicates.
6
6. Configuring the SAP Web Dispatcher to Support SSL:
If you are using a stand-alone SAP Web Dispatcher in front of the SAP Web
AS, then use the procedures below to configure the SAP Web Dispatcher to
support SSL. The SAP Web Dispatcher can either pass the SSL connection to the
server in the backend, or it can terminate the SSL connection. See the graphics
below.
6.1. Passing the SSL Connection:
6.2. Terminating the SSL Connection:
7
6.3. Procedure:
6.3.1. Configuring the SAP Web Dispatcher to Pass the SSL Connection
to the Backend Server:
If the SAP Web Dispatcher is to pass the SSL connection to the
server in the backend, then, in addition to the standard parameters, set
the following profile parameter in the SAP Web Dispatcher’s profile:
C. Create the SAP Web Dispatcher’s PSE(s) and certificate request(s).
i. Creating the SAP Web Dispatcher’s PSEs Using the Trust Manager
To create each PSE (SSL server PSE and SSL client PSE), using the
trust manager:
Start the trust manager (transaction STRUST).
Using the context menu for the File node, choose Create (RSA).
The Create PSE dialog appears.
Enter the Distinguished Name parts in the corresponding fields according to your CA’s naming convention.
Save the PSE to local file (for example, the Web Dispatcher’s SECUDIR directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively.
ii. Creating the SAP Web Dispatcher’s PSEs and Certificate Requests Using SAPGENPSE
As an alternative, you can use the configuration tool sapgenpse to create the SAP Web Dispatcher’s PSEs.
Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, then set it using the command line as shown below.
set SECUDIR=<SECUDIR_directory>
Use the tool’s command get_pse as shown below to create the SAP Web Dispatcher’s PSE.
-O: User for which the credentials are created. (The user that runs the SAP
Web Dispatcher process.)
G. Restart the SAP Web Dispatcher.
H. Test the connection.
Start a BSP using an HTTPS connection to your SAP Web Dispatcher
and the corresponding SSL port.
If your Web browser cannot completely verify the SAP Web Dispatcher's
public-key certificate, then you will receive a dialog that states the reason
why. For example, if your Web browser does not possess the issuing CA's
root certificate as a trusted root certificate, then you are informed and can
choose to trust the server at this time.
If you trust the server's certificate (either automatically or manually), then
the next step is to authenticate yourself.
If your authentication was successful, the BSP appears.
6.4. Pros and cons of End-to-End SSL / SSL-Termination:
SSL is required in case of any need to protect the business data such as
user credentials (e.g. passwords) and data security. It basically encrypts
entire communication between browser and server.
6.4.1. Web Dispatcher in End-To-End SSL mode:
Pro :
Client authentication with X.509 certificates
End-to-End data security
Load balancer is "untrusted" component
Contra :
Persistence based on client IP address only
Load balancing problems :
Proxies
End of Session
12
IP Address based persistence usually OK in internet
No logon groups
No distinction between J2EE and ABAP applications
6.4.2. Web Dispatcher in SSL Termination mode :
Pro :
Persistence based on application session ID
Logon groups
Detection of application type (ABAP/J2EE), select correct server
Request parsing and URL filtering
SSL re-encryption is possible
Contra :
Harder to configure
Web Dispatcher becomes "trusted component" (secure channel to WebAS needed)
Make sure Web Dispatcher does not become performance bottleneck as it needs higher CPU capacity
7. Key points:
We have various scenarios that can be used while implementing Web Dispatcher, the scenario to be chosen comes down to one's requirement of security, performance, cost, effort, etc., Some of the interesting facts about web dispatcher are listed below.
Web Dispatcher is a software load balancer and application layer gateway for SAP Web AS
Web Dispatcher is not a reverse proxy, not meant to be.
As of Netweaver 7.2, it is possible to have single web dispatcher to cater to multiple backend systems, NW 7.2 based Web Dispatcher is backward compatible and supports up to 6.10
Both End-to-End SSL and SSL Termination are available, SSL options to be chosen based on the requirement and by carefully analyzing the hardware and cost involved in setting up the chosen SSL option
It is recommended to perform the sizing exercise with the realistic inputs
No additional cost involved for license, Web Dispatcher is delivered at free of cost (part of Web AS)