The following SAP Web Dispatcher parameters are relevant for running the Dispatcher with SSL.
Parameter |
Meaning |
Unit |
Default Value |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
wdisp/HTTPS/ dest_logon_group |
Note
This parameter is only relevant when using End-to-End SSL. This parameter determines the logon group for load balancing requests at the SAP Web Dispatcher. If a logon group is defined, the requests are passed to the servers in this group only. If no group is defined, the requests can be passed to all of the servers in the system. |
Logon group name |
|||||||||||||
wdisp/HTTPS/ sticky_mask |
Note
This parameter is only relevant when using End-to-End SSL. This parameter describes a bit mask for client IP addresses. The result of the bitwise AND operation on the client's IP address and the sticky mask is used for load balancing of clients. This allows you to combine groups of client IP addresses. This functionality is required because large internet providers use several proxies (with different IP addresses) but the clients must be handled in the same way. This is imperative for applications for which the server keeps a status (“stateful” applications). |
Character string |
255.255.240.0 This means that the last 12 bits of the client IP address are no longer significant (are not distinguished). |
||||||||||||
wdisp/HTTPS/ max_client_ip_entries |
Note
This parameter is only relevant when using End-to-End SSL. This parameter specifies the maximum number of entries in the mapping table between the client IP address and the application server. The memory for the mapping table is allocated in the host's shared memory. Example
The following table specifies examples of memory requirements with specific settings.
|
Number of entries (integer value) |
50000 |
||||||||||||
wdisp/HTTPS/ context_timeout |
This parameter specifies the timeout for entries in the client IP table in seconds (default 3600). An entry is deleted from the table if no request has arrived from this client IP address within the specified time span. Caution
The value of this parameter must always be bigger than the session timeout of the application server. This value depends on whether it is an ABAP or a Java request.
|
Seconds |
3600 |
||||||||||||
wdisp/HTTPS/ max_pooled_con |
This parameter is the same as wdisp/HTTP/max_pooled_con, though for HTTPS connections. Note
What is important here is which protocol is used from the SAP Web Dispatcher to the application server. Recommendation
You do not normally need to change the default setting. |
Number of connections |
32768 |
||||||||||||
wdisp/HTTPS/ min_pooled_con |
This parameter is the same as wdisp/HTTP/min_pooled_con, though for HTTPS connections. Note
What is important here is which protocol is used from the SAP Web Dispatcher to the SAP NetWeaver AS. Caution
Since a thread is blocked in the ICM for each HTTPS connection in the pool on the SAP NetWeaver AS side, you should not change the default value of 0! |
Number of connections |
0 |
||||||||||||
wdisp/ssl_encrypt |
This parameter determines how the SAP Web Dispatcher handles inbound HTTP(S) requests. The following values are possible: 0: Forward the request unencrypted. 1: Encrypt the request again with SSL, in case the request arrived via HTTPS protocol. 2: Always forward the request encrypted with SSL. You can also configure the SAP Web Dispatcher for end-to-end SSL, by specifying the protocol ROUTER when you define the icm/server_port_<xx> parameter. |
Integer (0, 1 or 2) |
0 |
||||||||||||
wdisp/ssl_auth |
This parameter determines which X.509 client certificate of the SAP Web Dispatcher can be used with the application servers. The following values are possible: 0: No certificate 1: Default certificate 2: Use the certificate specified in the wdisp/ssl_cred parameter. |
Integer (0, 1 or 2) |
1 |
||||||||||||
wdisp/ssl_cred |
Name of the PSE file used for the server authentication. This option is only relevant if wdisp/ssl_auth =2. |
File name/path name (corresponds to the operating system convention) |
|||||||||||||
wdisp/ssl_certhost |
This parameter is only relevant, if you have configured a connection with SSL, that is, either the connection to the message server (wdisp/server_info_protocol = https), to the application servers (wdisp/group_info_protocol=https or wdisp/url_map_protocol=https or SSL termination (wdisp/ssl_encrypt = 1 or 2). If wdisp/ssl_certhost is not defined, for each application server a server certificate must be set up on the relevant host. You can use this parameter to specify a host, in the name of which the server certificate is issued. Then you do not have to provide a certificate for each application server. Example
Your server certificate is issued on the name www.sap.com. You activate this certificate for all application servers in transaction STRUST. You also set the value of wdisp/ssl_certhost to www.sap.com. If this parameter is not set, the host names on the message server (transaction SMLG) and the names the certificates are issued with must be the same. |
Host Name |
|||||||||||||
wdisp/ssl_ignore_ host_mismatch |
If the connection between the Web Dispatcher and application server is re-encrypted (wdisp/ssl_encrypt=1=1), the server must produce an SSL server certificate before the connection can be opened. If the host name in the certificate does not match the server name the Web Dispatcher is connected to (names are not case-sensitive), no SSL connection can be established. Example
The certificate is issued on sdm.int.sap.com. The application server, however, runs on the internal host with the name ld5000.wdf.sap.corp (and it is also logged on with this name to the message server). If this parameter is now set to 1 or TRUE, the Web Dispatcher ignores the missing match between the server certificate and the server host name, and uses this newly opened SSL connection between the Web Dispatcher and the server for the communication. |
Logical value (TRUE, FALSE, 1, 0) |
FALSE |
SSL (Re)-Encryption: Connection Pooling
To increase system performance when using SSL (re)encryption, you can activate connection pooling by setting parameter wdisp/HTTP/use_pool_for_new_conn = 1.