Installing and Configuring SAP Web Dispatcher

SAP Web Dispatcher receives information about the application servers, which it needs for load distribution, from the message server and application servers. The following list presents types of information:

• It gets server information (the list of servers that it can use for requests) from the message server.
• It gets information about the logon groups and URL mapping from an ABAP application server.
• SAP Web Dispatcher checks the availability of the application servers using ping requests to the application servers.

SAP Web Dispatcher obtains information about the application servers of the SAP system from the message server via HTTP(S). You can use SAP Web Dispatcher for AS ABAP systems, AS Java systems, HANA XS systems and SAP Cloud Platform systems in some scenarios.

The HTTP interface of the message server allows you to display information about the application server instances with a Web browser. To do so, enter the following URL:http(s)://<message server host>.<message server domain>:<message server http(s) port>/msgserver/text/logon?version=1.3.

The prerequisites for operating the SAP Web Dispatcher are

• The SAP Web Dispatcher is able to contact the HTTP port of the SAP message server.
• The following ICF services are active:
  • /sap/public/icman
  • /sap/public/icf_info and all sub-services

On the host on which SAP Web Dispatcher will be used, it is sufficient to provide the executable (name: sapwebdisp) and a profile file. The executable is the package sapwebdisp.sar that you can download for various platforms from the SAP Support Portal (area SAP Technology Components). In addition, you need a profile, typically named sapwebdisp.pfl. For a list of profile parameters, see the online documentation. Running the command sapwebdisp pf=<profile file> is sufficient to start SAP Web Dispatcher.

You can also start SAP Web Dispatcher without a profile file. For this bootstrap option (started with command sapwebdisp -bootstrap), the following steps are executed:

1. If the sapwebdisp.pfl profile file does not exist, it is created based on interactive entries.

2. If the icmauth.txt authorization file does not exist, it is created and a user is entered for Web Administration interface.

3. SAP Web Dispatcher is started with the profile file created.

The tools for installing and updating SAP products are delivered with the Software Logistics Toolset (SL Toolset), which is updated several times a year, so you get the latest improvements and updates in time. In this manner, the SL Toolset delivers software logistics tool improvements on a continuous basis, independent from the SAP application product shipments. The SL Toolset is delivered in Support Package Stacks.

Software Provisioning Manager (SWPM) is the successor of the product- and release-specific delivery of provisioning tools. It provides the latest SAPinst version with software provisioning services for several products and releases for all platforms, enabling you to profit directly from up-to-date procedures powered by a reliable tool available and used for years.

Meanwhile, two versions of Software Provisioning Manager are available:

• Software Provisioning Manager 1.0
• Software Provisioning Manager 2.0

Both versions can be used to install SAP Web Dispatcher.

In case you explicitly want to install the non-Unicode version of SAP Web Dispatcher, you have to use Software Provisioning Manager 1.0.

To download the latest SWPM, open https://support.sap.com/sltoolset and navigate to System Provisioning → Download Software Provisioning Manager → SOFTWARE PROVISIONING MGR 2.0 → SUPPORT PACKAGE PATCHES → <Platform>. For more information about SWPM, see SAP Help Portal – Additional Content on Software Provisioning Manager 1.0 and 2.0 at https://help.sap.com/docs/SUPPORT_CONTENT/sl/3362916978.html.

The SWPM-based installation of SAP Web Dispatcher requires the following SAP archives (.SAR files):

• SAP Web Dispatcher

• SAP Host Agent

To download the latest SAP Web Dispatcher archive, open https://me.sap.com/softwarecenter and navigate to Support Packages & Patches → By Category → SAP Technology Components → SAP Web Dispatcher → SAP Web Dispatcher <Release> → <Platform>.

To download the latest SAP Host Agent archive, open https://me.sap.com/softwarecenter and navigate to Support Packages & Patches → By Category → SAP Technology Components → SAP Host Agent → SAP Host Agent <Release> → <Platform>.

The sapinst executable can be launched with many command line options. To see all of them, enter sapinst -p.

The option to install an SAP Web Dispatcher is located at Generic Options → SAP Web Dispatcher → SAP Web Dispatcher (Unicode) (the path may vary, depending on the SWPM release).

SWPM offers two options for Parameter Mode, Typical or Custom. The figure lists dialogs of SWPM when being executed in Parameter Mode = Typical.

To access the installations guides for SAP Web Dispatcher, open the Guide Finder for SAP NetWeaver and ABAP Platform at https://help.sap.com/viewer/nwguidefinder and search for dispatcher. Note the proper operating systems and SWPM version.

For templates for the profile and parameter descriptions, see the online documentation. SAP Web Dispatcher must know the port at which it is to receive HTTP(s) requests on which host and with which HTTP(S) port it can access the message server (both is set using SAP Web Dispatcher profile parameter wdisp/system_<xx>).

You can check the configuration of SAP Web Dispatcher to ensure that your settings will work when the Dispatcher is running. To do so, start SAP Web Dispatcher from the command line with the command: sapwebdisp pf=<profile> -checkconfig. This verifies the following items:

• If the configuration of the maximum number of sockets in the Operating System permits the required number of configured connections.
• If the information about the application servers is configured in a file and in the wdisp/server_info_location parameter. Check the syntax and semantics of this file.
• If the information about the application servers is configured in the message server:
  • Test the connection to the HTTP port of the message server.
  • Check the data from the message server with the configured URL.
• If the connection to all the application servers is found.
• If the file is configured with the wdisp/group_info_location, do a syntactic/semantic check of the group file. Otherwise, check the data from an application server with the configured URL (/sap/public/icf_info/icr_groups). Check that the ICF nodes are activated.
• If the file is configured with the wdisp/url_map_info_location, do a syntactic/semantic check of the group file. Otherwise, check the data from an application server with the configured URL (/sap/public/icf_info/icr_urlprefix). Check that the ICF nodes are activated.

If you want to update your SAP Web Dispatcher installation, download the SAP Web Dispatcher archive (for the proper operating system and major release) at https://support.sap.com/swdc, path Software Downloads → Support Packages & Patches → By Category → SAP Technology Components → SAP Web Dispatcher → SAP Web Dispatcher <Release> → <Platform>. Unpack that file (by executing sapcar -xvf <sapwebdisp.sar file>) to the proper directory and (re)start SAP Web Dispatcher. Continue as described in SAP Note 908097 (the procedure is similar to a kernel update).

Cryptography is the science of encrypting information. Why is this a very important topic in today's IT world? The standard protocol used for transporting http requests, TCP/IP, is a potentially insecure transport mechanism. Everyone connected to a specific network is able, with more or less effort and knowledge, to listen to the packages and its content transferred with the IP protocol in that network. This vulnerable protocol makes it necessary to encrypt the transferred data itself. For a better understanding we describe here a possible attack against the TCP/IP protocol and the data transferred with this protocol.

In the above example, Alice (1) initiates a communication with Bob and requests some data about customers from him. Bob gathers the requested data and responds to Alice's request (2). The entire exchange is eavesdropped by Mallory. He now knows about the information that was discussed (3).

In the context of TCP/IP, Alice (stands for a Web browser), for example, requests some data via an http request that is transferred via the TCP/IP protocol. The server (here represented by Bob) responds and transfers some sensitive customer data from the server to the client via the TCP/IP protocol. Mallory, an attacker, is on the same network and therefore is able to eavesdrop on this TCP/IP communication.

The solution for securing this communication is the encryption of the transferred data; this involves making the conversation impossible for the attacker to understand but making it understandable to the participants involved in the conversation only.

Encryption itself is based on mathematical operations. A key therefore has to be exchanged between the communication partners in order to have a computable basis for encrypting and decrypting information. There are three different methods for exchanging these keys.

Symmetric Key Encryption is the classical cryptography method for encrypting and decrypting messages. In this case, both the sender and receiver of a message share a "secret" called a secret key. The sender uses this key to encrypt the message. The receiver also uses this key to decrypt the message.

The shared secret is called a secret key. It consists of a value of a certain length, 256 bits for example. These encryption algorithms are in widespread use and are employed in most Web browsers and Web servers. Typical Symmetric Key Encryption Algorithms include:

• Digital Encryption Standard (DES)

• Triple DES

• Advanced Encryption Standard (AES)

• International Data Encryption Algorithm (IDEA)

• RC4

• RC5

• Blowfish

Asymmetric Key Encryption uses a different algorithm than Symmetric Key Encryption. Asymmetric Key Encryption uses a key pair that consists of a private and a public key. These keys belong to each other. A message that is encrypted with the public key can only be decrypted with the matching private key. The public key can be made public. The owner of the key pair "publishes" the public key and can distribute it as required. The private key must be kept secret.

The person who is sending a confidential message uses the recipient‘s public key to encrypt the message. Only the recipient can then decrypt the message using his or her private key. A typical public key encryption algorithms is

• RSA (Rivest, Shamir, Adleman),

• Diffie-Hellman.

Disadvantages of Public Key Encryption:

• It is slower than Symmetrical Key Encryption.

• Encryption is only possible in one direction with a single key pair. Alice can encrypt a message to send to Bob, but not the other way round.

• If Alice also has a key pair, then Bob can send her an encrypted message. However, there is an easier way.

Hybrid Encryption Process is the combination of both above explained encryption processes. The Hybrid Encryption Process make use of the advantages of both process types. For the better understanding we describe this process in the following example.

Process:

1. The client (browser) contacts the ICM process respectively SAP Web Dispatcher.

2. The Application Server responds and sends its Public Key.

3. Client-side a Secret Key is created and encrypted with the Public Key the server sent before.

4. The client sends back the encrypted Secret Key.

5. On the server the Secret Key is decrypted using the Private Key. Only the server can decrypt the received Secret Key because it holds the Private Key which is necessary for the decryption.

6. The communication partners perform a "Handshake"; they shake hands.

7. Further communication between the client and the server is encrypted using the Secret Key.

In the first part of this lesson we described a possible attack on the transport protocol and what can be done to secure this communication. But what happens if Mallory interferes with the communication and pretends to be Bob? He may even provide Alice a public key, saying that is Bob's key. The question is how can we make sure that Alice is really communicating with Bob and therefore the public key she received is really Bob's public key?

The problem is also covered by cryptography and is called Authentication. Authentication normally takes place using the user ID and password. But with cryptographic mechanisms it is possible to authenticate communication partners, by means of verifying that the communication partner is the one she or he pretends to be. The basis for the authentication of communication partners are Digital Certificates.

The digital certificate is the individual's "digital identity card" on the Internet. Compared to the "real world", digital certificates can be compared to a passport which contains information about owner, issuer, serial number, and validity period. The format of the certificate is specified by the X.509 standard for digital certificates.

Beneath some general information the certificate contains also the public part of the key pair whereas the private key is not included in the certificate. The private key must be kept in a safe place. The certificate is issued to a person or server by an authorized entity called a Certification Authority (CA). The CA ensures by digitally signing the certificate that the public key, which matches to a private key, belongs to a specific person or server. Thus, the CA ensures that the certificate cannot be "faked". The complete infrastructure that manages the issue and verification of certificates is called the Public Key Infrastructure (PKI).

Examples of well-known Certification Authorities:

• Verisign Inc.

• TC Trust Center

The certification of digital certificates is performed, for example, as follows:

1. A public and private key pair is generated on the server.

2. The public key is sent to the CA (it is called a Certificate Signing Request, or CSR).

3. The CA digitally signs the server's public key and sends it back to the requestor.

4. Import of the CSR response, the digitally signed certificate, into the server.

Different CAs use different policies, on how to check the identity of a person or system, before issuing a digital certificate.

The server is now sending the digitally signed certificate, which includes the public key, to the communication partner. This kind of authentication is called Server Authentication. But how can the communication partner ensure that the digitally signed certificate is signed from a trusted CA? The communication partner has to have a trust relationship to the CA which issued the certificate. Technically this can be achieved by importing a digital certificate of the institution (CA) issued the certificate for the server. This is the so-called root certificate. The most common root certificates are pre-installed in most Web browsers.

In the previous sections you learned the fundamentals of Cryptography, Authentication and Digital Certificates. These technologies are also fundamental to securing the HTTP communication. Secure Socket Layer (SSL) is a transparent protocol enhancing other protocols having no security functionalities. SSL is not an HTTP-specific protocol but a protocol used between the TCP layer and application protocols like LDAP, SMTP, HTTP and so on. An HTTP application protocol that has been extended by SSL has the protocol identification HTTPS in the URL.

SSL uses a Hybrid Encryption method and provides besides data encryption the following authentication mechanisms:

• Server authentication

• Client authentication

• Mutual Authentication

To use SSL for server authentication, the ICM process respectively SAP Web Dispatcher possesses a private and public key pair.

1. Alice contacts the ICM process respectively SAP Web Dispatcher using a browser.

2. The Application Server responds and sends its Public Key with a digitally-signed message. The client-side server's identity is verified by checking the validity of the certificate. The certificate is only accepted if the client trusts the CA that issued that certificate to the ICM process respectively SAP Web Dispatcher. This is done with the CA root certificate.

3. The Secret Key is created and encrypted with the Public Key the server sent previously.

4. The client sends back the encrypted Secret Key.

5. On the server the Secret Key is decrypted using the Private Key. Only the server can decrypt the received Secret Key because it holds the Private Key that is necessary for the decrypting.

6. The communication partners perform a handshake.

7. Further communication between the client and the server is encrypted using the Secret Key.

You can also use SSL for connections where an intermediary server is used. An intermediary server may be a Web proxy or the SAP Web Dispatcher. A typical scenario is to place the intermediary server in the DMZ and the AS ABAP in the intranet zone. The servers that are supported for use with AS ABAP are:

• SAP Web Dispatcher

• Microsoft Internet Information Server (IIS) with an IIS proxy module from SAP

• Other products (for example, the Apache Web Server)

The first connection type shown above does not use SSL at all. Therefore, you only need to set the port to HTTP. No extra configuration is needed.

For the second connection type, the request is terminated at SAP Web Dispatcher. The incoming connection uses HTTP and the outgoing connection uses HTTPS. Therefore, you must configure SAP Web Dispatcher as an SSL client.

For the third connection type, the request is terminated at SAP Web Dispatcher. The incoming connection uses HTTPS and the outgoing connection uses HTTP. Therefore, you must configure SAP Web Dispatcher as an SSL server.

For the fourth connection type, the request is terminated at SAP Web Dispatcher. Both the incoming connection and the outgoing connection use HTTPS. Therefore, you must configure SAP Web Dispatcher as an SSL server and an SSL client.

We will now consider how to configure SAP Web Dispatcher in an SSL server role.

We recommend that you use the Web Admin UI of SAP Web Dispatcher to configure SSL support.

As a high-level overview, these are the required steps to configure SAP Web Dispatcher for SSL when the connection is terminated and SSL is used:

1. Create the SAP Web Dispatcher's Personal Security Environments (PSE(s)) and certificate request(s). Create an SSL server PSE if the incoming connections use SSL. Create an SSL client PSE if the outgoing connections use SSL. Create both if both connections use SSL.

   To create an SSL server PSE with Subject Alternative Name (SAN), refer to SAP Note 2502649Creating certificates with Subject Alternative Name (SAN) through the Web Admin page.

2. Perform the following steps for each of the PSEs that you created in the previous step:

   1. Send the certificate request(s) to a CA to be signed.

   2. Import the certificate request response(s) into the PSE.

   3. Create credentials for SAP Web Dispatcher.

3. For SSL outbound connections, import a CA root certificate into the SSL client PSE of SAP Web Dispatcher. Use the same CA root certificate for the CA that issued the SSL server certificate to the AS ABAP application server.

4. Set the profile parameters according to the case you are using.

5. Restart SAP Web Dispatcher.

6. Test the connection.

For details, see the online documentation for SAP NetWeaver resp. ABAP Platform.

In a simple system landscape the AS ABAP and the browsers are usually located in the same network. In this case, the browser can access the AS ABAP server directly using its configured name. Conversely, if the AS ABAP has to generate an absolute URL for the browser, it can use its configured name to generate the URL.

In more complex system landscapes a reverse proxy server, for instance, the SAP Web Dispatcher, is used in the network. This happens, for example, if the reverse proxy server is visible in the Internet and the AS ABAP is located behind a firewall. In this case the browser uses the name of the reverse proxy server when it is communicating with the server. Or the other way around: it is not possible for the AS ABAP to use its own configured name to generate absolute URLs. The URL must contain the name and port of the reverse proxy server (that is, the name and port of the unit with which the browser communicates). The configuration table HTTPURLLOC can then be used to describe how a URL is to be generated.

For more information, see SAP Note 750292 – BSP: URL Generation in a config of WebAS with Web Dispatcher which also contains a link to the online documentation.

SAP Web Dispatcher is a SAP solution for load distribution for HTTP(S) requests. If an SAP system consists of multiple instances, the SAP Web Dispatcher receives the requests from the browser and forwards them to the application server that currently has most capacity. This simplifies administration since there is only one entry point (IP address, HTTP(S) port, and so on) to the SAP system.

If SAP Web Dispatcher also uses SSL for the connection to the AS ABAP system (re-encryption), then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE.

You have different options to establish a trust between SAP Web Dispatcher and an AS ABAP system. One approach is that you export the SSL server certificate from the AS ABAP system and import it to the SAP Web Dispatcher client PSE. However, a more convenient approach is that you have a common Certification Authority (CA) in place.

• Use this CA to sign the SSL server certificate of AS ABAP (transaction STRUST).

• Import the root certificate of the same CA into the SAP Web Dispatcher client PSE.

As of SAP Web Dispatcher 7.53, you can establish the trust with an AS ABAP-based back-end system completely in the Web Admin UI (a separate download of the respective certificate is not necessary anymore). To do so, use the feature in the Web Admin UI available at <SID of SAP system> → Monitor Application Servers → <application server menu (column Name)> → Establish Trust. Here you can choose the certificate to establish the trust (Root Certificate, Issuer Certificate(s) or Peer Certificate).

For more information, see SAP Help Portal – Additional Content on How to Configure SAP Web Dispatcher to Trust Backend System SSL Certificate at https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959216.html.

SAP Web Dispatcher supports multiple SAP (backend) systems (and non-SAP Web servers) out of the box. You do not have to set up, configure, or wait for an SAP Web Dispatcher for each system; you can use a common SAP Web Dispatcher for all systems. This must then be configured for all connected systems.

You can separate the requests using one of the various mechanisms, or a combination of mechanisms configured using subparameters of parameter wdisp/system.

Host Name (subparameter SRCVHOST)

Requests are forwarded to the configured system if the host name in the URL matches the host name specified in SRCVHOST.

URL path prefix (subparameter SRCURL)

Requests are forwarded to the configured system if the URL path prefix matches the URL path prefix specified in SRCURL.

Access point (IP address (or host name) and port) of SAP Web Dispatcher (subparameter SRCSRV)

Requests are forwarded to the configured system if SAP Web Dispatcher IP address and port where the request was received match the access point specified in SRCSRV.

In most scenarios SRCVHOST and SRCURL are sufficient to perform the system selection. If the system selection cannot be performed using the subparameters listed above, it is possible to perform system selection in the HTTP modification handler by setting header field X-SAP-WEBDISP-TARGET-SID.

For each back-end system, add a wdisp/system_<xx> line to SAP Web Dispatcher profile. For example:

wdisp/system_0 = SID=ECC, MSHOST=ms_ecc.wdf.sap.corp, MSPORT=8104, SRCVHOST=ecc.acme.com

wdisp/system_1 = SID=NWP, MSHOST=ms_nwp.wdf.sap.corp, MSPORT=8134, SRCVHOST=nwp.acme.com

For each incoming request, SAP Web Dispatcher uses the configured criteria and the setting of wdisp/system_<xx> to check which system the request can go to. If the criteria are met by more than one system, the behavior is determined by the parameter wdisp/system_conflict_resolution. For more information and examples, see the online documentation.

SAP Web Dispatcher offers further functions, which are not covered in this lesson. Some of them are:

URL filtering

You can define URLs that you want to be rejected, and, by doing so, restrict access to your system.

Web caching

You can use SAP Web Dispatcher as a Web Cache to improve the response times and to conserve the application server cache.

Request rewriting

You can rewrite HTTP requests (and responses), for example to add or modify HTTP header fields.

SLD registration

You can configure SAP Web Dispatcher to register at a System Landscape Directory (SLD).

SAP Web Dispatcher can be protected from Denial of Service (DoS) attacks by limiting the number of connections from a single IP address. For every network connection that is established, the number of existing connections per client IP address is checked.

To see an overview of the top 25 consumers, including information about the number of active connections and time of last warning and rejection, call up SAP Web Dispatcher Administration UI and navigate to Core System → Client IP Top Consumer.

Profile parameter icm/client_ip_connection_limit contains sub-parameters WARN and REJECT to specify the limits for connections from a single IP address.

The values determined for these subparameters are percentage shares of the maximum number of connections that is specified by icm/max_conn. The default values are set to 90 and 100.

If the limit for WARN is exceeded, the SAP Web Dispatcher creates a system log (Message ID IMA) and trace entry. To prevent the system log from an overload of entries, only one entry per minute is created.

If the limit for REJECT is reached, the SAP Web Dispatcher terminates the connection and creates a system log entry (Message ID IMB).

The back-end system of Application Server ABAP can be protected from Denial of Service (DoS) attacks by limiting the number of concurrent requests that SAP Web Dispatcher forwards to the back-end system. That way, an overload from an untrusted request source can be avoided.The number of concurrent requests is roughly equal to the number of ABAP work processes that are occupied with processing these requests.

To monitor information about pending requests that have not yet been answered by the back-end system, call up SAP Web Dispatcher Administration UI and go to menu Dispatching Module → Backend System pending Request Info .

Profile parameter wdisp/system contains subparameters PENDING_REQUEST_LIMIT_WARN and PENDING_REQUEST_LIMIT_REJECT to specify the limits for concurrent requests in each back-end system.The values determined for these subparameters are absolute numbers. By default, this feature is disabled and has to be configured by the administrator.

If the limit for PENDING_REQUEST_LIMIT_WARN is exceeded, SAP Web Dispatcher creates both a system log (Message ID IMC) and trace entry.

If the limit for PENDING_REQUEST_LIMIT_REJECT is exceeded, SAP Web Dispatcher returns status code 503 Service Unavailable and creates a system log entry (Message ID IMD).

You can limit the resources consumed by a single user in application server instances of AS ABAP. This is configured using parameter rdisp/user_resource_limit. The parameter also has sub-parameters WARN and REJECT with respective values. These values are percentages. 100 stands for the entire amount of a resource available.

If the WARN limit is reached, syslog and trace entries are written (with flooding prevention).

If the REJECT limit is reached, a system log entry with key R2K is written and the session is cancelled.

• SAP S/4HANA 2023 online documentation (Product Assistance), area Enterprise Technology → ABAP Platform → Application Server ABAP - Infrastructure → Components of Application Server ABAP → SAP Web Dispatcher

• SAP Help Portal – Additional Content on SAP Client-Server Technology (area SAP Web Dispatcher) at https://help.sap.com/docs/SUPPORT_CONTENT/si/3362958857.html

• SAP Note 538405SAP Web Dispatcher: composite note

• SAP Note 552286Troubleshooting for the SAP Web Dispatcher

• SAP Note 1040325HTTP load balancing: Message Server or Web Dispatcher?

• SAP Note 908097SAP Web Dispatcher: Release, Installation, Patches, Documentation

• SAP Note 1708601Inst. Web Dispatcher SAP NetWeaver 7.1 and Higher

• SAP Note 1282692Displaying logon groups in SAP Web Dispatcher and J2EE stack

• SAP Note 2007212Tuning SAP Web Dispatcher and ICM for high load

• SAP Note 2502649Creating certificates with Subject Alternative Name (SAN) through the Web Admin page

• for installation guides, open the Guide Finder for SAP NetWeaver and ABAP Platform at https://help.sap.com/viewer/nwguidefinder and search for dispatcher