icm/HTTP/auth_<xx>

Value Range and Syntax

To set up the access restrictions use the parameter with the following syntax:

icm/HTTP/auth_<xx> = PREFIX=<URL-Präfix>
[,PERMFILE=<permission file>, AUTHFILE=<authentication file>, 
FILTER=<name>]
            

The <xx> index is a number without a leading 0.

This is explained below.

• PREFIX

  URL prefix for which the HTTP subhandler is to be called.

• PERMFILE

  Optional specification:

  Name of the permission file in the file system

• AUTHFILE

  Optional specification:

  Name of the user file or system for authentication of an operating system user

• FILTER

  Optional specification:

  Name of the profile for the search template (default value: SAP). If you leave out the option, you are deactivating the filter. The filter can be dynamically activated/deactivated by setting the parameter csi/enable. You can dynamically activate/deactivate filtering using the parameter csi/enable. You can find the parameter on the Web administration interface.

• CASE

  Specifies the case sensitivity of URL prefixes in PERMFILE. TRUE means that the URL prefixes are handled case-sensitively. FALSE means that the URL prefixes are handled case-insensitively. The default is FALSE. We also recommend this setting.

  Since AS ABAP handles URLs case-insensitively, you should always configure negative lists case-insensitively. CASE=TRUE can only be used meaningfully if the permission file only contains positive entries (entries of type "P").

PERMFILE

In the permission file you determine the type of access protection. The permission file has the following structure:

• Comment lines start with a # and are ignored.

• Other lines have the form:

  P/D/S <URI pattern> <USER><GROUP><CLIENT IP><SERVER IP>

  where the letter at the start of the line has the following meaning:

  • P (Permit)lets the request through.

  • D (Deny)refuses the request and sends a message to the client.

  • S (Secure)only allows secure connections (HTTPS) for the URL prefix.

  • <URI pattern> is the section of the URL that is labeled in the cache key section as translated path.

• You can use the wildcard character * for the URI pattern, but only at the start or the end of the <URI pattern> string.

• For the client and server IP address you can use an exact comparison, the wild card character *, or the net mask syntax.

The default value of empty entries is *, which permits everything.

The conditions are checked from top to bottom.

If one of the condition for D or P is true, the check ends, and the request is permitted or denied by the subhandler.

If none of these conditions in the table is met, the request is denied.

Table “permfile.txt” enables access to /sap/admin through server IP address 192.168.2.40. Only client IP addresses from subnetwork 192.168.1.0/24 are valid.

For Web applications that use an initial URL and subsequent URLs within the initial URL, two entries must be configured. For example, for the Web Admin interface subsequent URLs are generated under path /sap/admin, for example, /sap/admin/public/default.html. Therefore, entries for URI patterns /sap/admin and /sap/admin/* are required.

Table “permfile2.txt” enables access to URI /sap/bc/echo only through client IP address 10.18.55.50. All other URIs below /sap/bc/ are not blocked.

AUTHFILE (optional)

The AUTHFILE determines the permitted users and passwords, and is required if entries for USER or GROUP are made in the permission file.

Possible values for AUTHFILE:

• System: The user is authenticated against an operating system user.

• <File name>: File with user name, group name, and protected passwords.

The authorization file can be generated and maintained using programs wdispmon and icmon (Option -a). It has the following structure:

• Comment lines start with a # and are ignored.

• Other lines have the form:

  <User>: <Password hash>: <User group>: <DN Client certificate>

Example

Authentication for the ICM and SAP Web Dispatcher: