0 évaluation0% ont trouvé ce document utile (0 vote)
36 vues4 pages
This article provides a brief overview of the SAP Web Dispatcher function. It provides the function of a "software" web switch for applications running on your SAP Web Application Server. It acts as the single entry point for all web requests destined for your SAP Web AS. It distributes and load balances these requests among the different application server instances.
This article provides a brief overview of the SAP Web Dispatcher function. It provides the function of a "software" web switch for applications running on your SAP Web Application Server. It acts as the single entry point for all web requests destined for your SAP Web AS. It distributes and load balances these requests among the different application server instances.
Droits d'auteur :
Attribution Non-Commercial (BY-NC)
Formats disponibles
Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
This article provides a brief overview of the SAP Web Dispatcher function. It provides the function of a "software" web switch for applications running on your SAP Web Application Server. It acts as the single entry point for all web requests destined for your SAP Web AS. It distributes and load balances these requests among the different application server instances.
Droits d'auteur :
Attribution Non-Commercial (BY-NC)
Formats disponibles
Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
This article appeared in the Oct Nov Dec 2002 issue of SAP Insider and appears here with
■ ■
permission from the publisher, Wellesley Information Services (WIS), www.WISpubs.com.
Achieving Network Security Regular Feature
and Secure Load Balancing Security with the SAP Web Dispatcher Strategies
One of the questions commonly asked What Is the SAP
these days about SAP systems, and the Web Dispatcher? SAP Web Application Server in partic- The SAP Web Dispatcher provides the ular, concerns the setup of networks and function of a “software” web switch for SAP application server instances for applications running on your SAP Web optimal security and availability. This is Application Server. It is a standalone particularly true of customers who are program provided with the SAP Web running large intranets with hundreds, Application Server Release 6.20 that perhaps thousands of clients, and then connecting these intranets — and their can be installed separately on a server in the De-Militarized Zone (DMZ) Dr. Jürgen Schneider, SAP AG SAP applications — to the Internet. between your intranet and the Internet.1 Clearly, they want to make sure that To help ensure high availability their SAP servers are safe from attacks and greater security, the SAP Web at various levels, especially at the Dispatcher has two main functions: network and communications level, as it both stateless and stateful SAP applica- provides the means to access the SAP ■ It acts as the single entry point for all tions, whether they are Business Server applications from inside and outside the web requests destined for applications Pages (BSP) or Java-based (J2EE) company. Of course, the more connec- running on the SAP Web AS. applications. The Web Dispatcher tions there are with the Internet, the functions keep track of the current ■ It distributes and load balances these more web requests come into your load of the application server instances requests among the different applica- system, and the greater the demands on and take care that web requests tion server instances. your system resources. So it has become belonging to one session are always increasingly important to properly As such, the SAP Web Dispatcher sent to the same application server distribute incoming web requests over represents a “first line of defense” instance holding that session. the available application server instances against all kinds of attacks at the to achieve optimal load balancing. network and protocol level — mainly Positioning the SAP Web denial of service attacks by network With SAP Web Application Server Dispatcher in Your Network flooding, and protocol attacks via (Web AS) Release 6.20, the SAP Web for Enhanced Security malformed URLs and HTTP requests, Dispatcher function provides additional To realize secure access from the such as buffer overflow attacks. help for precisely these tasks. This Internet, the SAP Web Dispatcher is article provides a brief overview of the At the same time, the SAP Web placed on a computer running in your SAP Web Dispatcher function and Dispatcher provides load balancing for network’s DMZ. Typically, with this setup, the benefits it provides for network a first, external firewall system blocks 1 Although this is the most important use of the SAP security and secure load balancing for all access from the Internet, allowing Web Dispatcher program, it can be used to support your SAP Web Application Server the separation of network zones and optimal load only the HTTP and HTTPS protocols to installations. balancing inside your intranet as well. pass through. Even then, these protocols
Subscribe today. Visit www.SAPinsider.com.
can only reach the computers installed However, unlike other functions of For stateful applications, the in the DMZ (see Figure 1). the application server processes — like SAP Web Dispatcher inspects the The SAP Web Dispatcher runs on user authentication and authorization HTTP requests and looks for the one of these computers in the DMZ. It — the SAP Web Dispatcher function SAP_CONTEXT_ID cookie. If this receives the requests and, if appropriate, always remains an “untrusted” part of cookie is present, it contains informa- routes the requests over a second, internal this process system, and it only forwards tion about the application server firewall system to one of the application HTTP(S) requests and responses to and instance holding the corresponding servers in the internal network. from the web clients. session. The SAP Web Dispatcher uses As part of this function, the SAP Web this information to route the request to The major benefit is that, even if a Dispatcher is able to analyze incoming this application server instance. denial of service and buffer overflow web requests, check if they belong to an attack were successful, it could only For HTTPS requests, where the existing session (HTTP only), and then affect the SAP Web Dispatcher, leaving complete request data is encrypted by make the routing decision, using informa- all the other parts of your SAP Web means of the Secure Sockets Layer tion about logon groups and the current AS installation fully operational (for (SSL) protocol, the client IP address is load situation of the SAP application example, for intranet access). A simple used as the basis for load balancing server instances, to forward it to the restart of the SAP Web Dispatcher after only. We will get back to this mode in a appropriate application server session. the attack immediately provides recovery later section. To retrieve current information from such situations, should they occur. about existing application servers, The basic configuration of the SAP configured logon groups, and their URL Load Balancing for Web Dispatcher is purposely simple, and mappings, the SAP Web Dispatcher High Availability setup requires little work on the part of communicates with the message server system administrators. The next sections The SAP Web Dispatcher uses a and the application server instances of detail how you can start using the Web “weighted round-robin” approach, your SAP Web AS installation. As such, Dispatcher so it can begin gathering the familiar to solution architects, to divide it can be perceived as an extension of information it needs — server load, URL the load for maximum “fairness” of Internet Communication Manager (ICM) mappings, HTTPS routing, etc. — and scheduling. The “weight” is derived from processes, which run with each of the some simple options you can add to meet the number of work processes, which application server instances and handle the particular needs of your own systems. are configured for each application communications between the SAP Web server instance. The Web Dispatcher is Application Server and all clients.2 set to route new, incoming web requests Simple Setup and 2 For more on the Internet Communication Manager in the round-robin to the next application Minimal Configuration SAP Web Application Server, see the white paper “SAP The SAP Web Dispatcher program Web Application Server: Building Reliable Business server instance, depending on the Applications” at www.SAP.com/solutions/technology. server’s previous load. was designed to require “zero adminis- tration.” Just copy the sapwebdisp executable from your SAP Web Application Server Release 6.20 installation to the computer where the SAP Web Dispatcher should run. To start it, enter sapwebdisp pf = <profile> on the command line of your administration console for this computer, where “profile” is the path and filename of a file containing the SAP profile parameter settings.
The profile file only requires
some basic information to be up and running: the instance number of the appropriate SAP system, the host name of the message server, and the Figure 1 Network Positioning of the SAP Web Dispatcher port numbers to be used for HTTP and SAP Web Application Server Instances and HTTPS, as you can see in the
Subscribe today. Visit www.SAPinsider.com.
profile example on the next page. If you choose, you can incorporate additional options to supplement the SAP Web Dispatcher defaults.
URL Mapping and Filtering
To fulfill mapping and filtering functions, the SAP Web Dispatcher needs to know which URLs map to which services and applications in the SAP Web AS. By default, only those URLs that actually map to existing applications need to be processed. In addition, you can configure certain URLs to be handled by corresponding server groups only (logon groups). Configuration of the URLs and URL prefixes — and the virtual hosts Figure 2 Administration of Service Access in the SAP Web Application Server and logon groups supporting them — is done by the administrator of your SAP functions for URL filtering and blocking. Load Balancing with SSL: Web Application Server installation As an option in the profile file for the The HTTPS Routing Option using dialog transaction SICF (see SAP Web Dispatcher, you can define a When working with secure web requests Figure 2). By default, the SAP Web URL permission table with profile param- over the Secure Sockets Layer (SSL) Dispatcher retrieves these configuration eter wdisp/permission_table, as protocol and HTTPS, the request data settings from one of the application shown in the sample profile. The entries is completely encrypted using strong servers by using the public information in the permission_table file can cryptography. This encryption is end-to- services of the Internet Communications either permit (P) or deny (D) URL end — from the web client (the web Framework (ICF) function of the SAP patterns from passing through the Web browser, for example) through to the Web AS, so that it understands which Dispatcher. Setting a URL pattern to S Internet Communication Manager (ICM) services are linked to which applica- would require the use of HTTPS for all process in the receiving application tions. In Figure 2, you can see these the URLs defined by this pattern. The server instance. As a result, the SAP public services provided by the ICF entries are evaluated from top to bottom, Web Dispatcher does not have access to listed in the icf_info service group of and the first matching entry is applied. the default host configuration. The usual strategy is to first have If you are not using the default explicit “permit” entries for the URLs host, but you have configured your own ✔ NOTE! mapped to configured applications and Using the permission_table virtual hosts with SICF, you have to then add “deny” entries for anything option with the SAP Web Dispatcher provide aliases in SICF pointing to the else. The default SAP service tree provides URL blocking for your ICF public information services to be can also be blocked at the SAP Web SAP Web Application Server used by the Web Dispatcher. You can Dispatcher this way. For example, your installation only as long as there then make your aliases for the ICF permission_table entries might is no other network path that public services available to the Web look like this: bypasses the SAP Web Dispatcher. Dispatcher by setting the profile param- P /public/catalog As a result, it is highly recom- eter wdisp/url_map_location P /shop/public mended that you do not rely on in the profile file for the Web this option exclusively, but also Dispatcher (see the example on the P /shop/start activate and deactivate services as next page). D /public/* desired in your SAP Web Application D /shop/* In addition to mapping capabilities, Server installation directly using P /sap/bc/ping the SAP Web Dispatcher and the SICF dialog transaction SICF. D /sap/* configuration settings provide powerful
Subscribe today. Visit www.SAPinsider.com.
balancing will depend on your expected Example of a “Profile” File for the SAP Web Dispatcher web clients and where they are located. # Minimum configuration settings: Whether it is wise to therefore termi- # SAP System identification and instance number (examples) nate the SSL connections before your SAPSYSTEMNAME = C11 application server instances can be a SAPSYSTEM = 66 matter of debate between the networking # Describe message server host (example host name) and the security camps in your adminis- rdisp/mshost = sidmain tration staff. This option is not currently # Description of access ports (examples) provided by the SAP Web Dispatcher, icm/server_port_0 = PROT=HTTP, PORT=8855, TIMEOUT=30 but is possible with the SAP Web AS icm/server_port_1 = PROT=ROUTER, PORT=22222, TIMEOUT=300 using public-domain or partner solutions. # Example additional configuration settings: # (only needed if defaults are not ok) Summary # URL mapping infos (examples) This article provided an overview of wdisp/max_url_map_entries = 50 the SAP Web Dispatcher, an important wdisp/url_map_location = /acme/urlinfos function of SAP Web AS Release 6.20 # URL filtering (example file name) that can be very useful for comple- wdisp/permission_table = cfg/permtab menting your network security and # Parameters for HTTPS routing (examples) providing load balancing for applications # This example bitmask "masks" the last 12 bits of client IP addresses, # so, for example, 124.94.55.1 and 124.94.55.99 appear to be the same running on your SAP Web AS installa- wdisp/HTTPS/dest_logon_group = HTTPSGROUP tion. If you are planning on installing the wdisp/HTTPS/sticky_mask = 255.255.240.0 SAP Web AS on your system, consider # Server infos and info refresh interval (examples) maximizing its security capabilities by wdisp/max_servers = 100 installing the SAP Web Dispatcher in the wdisp/max_server_groups = 32 wdisp/server_info_location = /msgserver/text/logon DMZ of your network to protect your wdisp/group_info_location = /acme/groupinfos main SAP Web AS installation from wdisp/auto_refresh = 120 various attacks from the Internet. Once you have gone through the simplified setup, you’ll encounter “zero administra- the request data and cannot use the for load balancing based on the client tion” in most cases. URL or the data contained in the IP address (“sticky-mask”), so that As a kind of simple “software” web SAP_CONTEXT_ID cookie for load requests from a whole group of clients switch, the SAP Web Dispatcher is not balancing. Instead, it uses other infor- are always routed to the same applica- intended to replace or compete with mation to make the load-balancing deci- tion server, which is required to support enhanced offerings by SAP partner sion while preserving stateful sessions. stateful applications. It is also possible vendors in this area that, for example, In the case of HTTPS web requests, to create a special logon group that provide the same functions with higher the only information available to the contains all application servers where performance through dedicated hardware Web Dispatcher is the client IP address. SSL is configured and that support solutions or extend filtering and screening This might present a certain problem for HTTPS. The incoming HTTPS requests capabilities as compared to the SAP Web load balancing, since a whole group of will then only be distributed between Dispatcher. The use of partner solutions is web clients could potentially use a single the servers in this group. Our sample still possible with the SAP Web AS. HTTP proxy through which they send profile file is set to handle HTTPS their requests. The SAP Web Dispatcher load balancing this way. For more information on the SAP cannot differentiate between different Web Dispatcher function, see the SAP In any case, it is obvious that the web clients that are sending requests via Web Application Server 6.20 online docu- client IP address-based load balancing the same HTTP proxy. Sometimes, a mentation at http://help.sap.com. might not be optimal if a large group of web clients might even use percentage of web clients are located Dr. Jürgen Schneider has been involved in the alternate HTTP proxies during one behind a single HTTP proxy. Here we design and implementation of SAP security session, depending on the Internet are faced with a typical tradeoff functions since 1996. Since 1998, he has been provider being used. between optimal load balancing and the Development Manager for Security in SAP’s There are a couple of ways around end-to-end security. In the end, whether Technology Development. He can be reached at this. It is possible to specify a bitmask this is a satisfactory approach to load j.schneider@sap.com.