Show TOC

Security Information for SAP Web DispatcherLocate this document in the navigation structure

To guarantee maximum security when the Web Dispatcher is running, SAP recommends the following measures:

  • Always use the most up-to-date SAP Web Dispatcher: SAP Note 538405 describes where you can find the newest version. Search regularly for SAP Security Notes that affect the SAP Web Dispatcher.

  • Use HTTPS instead of HTTP.

    • Use the rewrite handler to configure a protocol switch from HTTP to HTTPS. This fully prevents the use of unencrypted HTTP. This also prevents error messages in the browser if users inadvertently access the system with an HTTP URL. Note that not all HTTP clients follow the redirect. Even if this redirect configuration ensures that no HTTP access to the system is possible, it is possible that individual users of the system, e.g. web service end points, must also be switched from HTTP to HTTPS.

    • Also use HTTPS between the SAP Web Dispatcher and the back-end systems. Use profile parameter: wdisp/ssl_encrypt, if the network between SAP Web Dispatcher and the back-end systems is not sufficiently secured otherwise.

  • Use filters to restrict access to your system at different levels. SAP Web Dispatcher provides various filtering mechanisms. We recommend you use the most simple mechanism that meets security requirements. For example, if ACLs are sufficient, use these. The next level would be the authentication handler, and the top level would be the rewrite handler. This avoids an unnecessarily complex configuration, which itself contributes to system security too.

    • If you specify negative lists (deny entries) in URL filters, use case-insensitive filters because the ABAP application server treats URLs as case-insensitive.

Filter mechanism

ACL files

Authentication Handler

HTTP Rewrite Handler
Use

Use ACL files to restrict access to specific client IP addresses or client IP address areas if the restriction does not depend on the content of the HTTP request (nor on the URL), and no HTTP error page is required.

Use the authentication handler to set up URL filters. Rules in the authentication handler can also refer to specific client IP addresses, or to server IP addresses.

Use the HTTP rewrite handler for filters that cannot be mapped by ACL files or the authentication handler. The rewrite handler is a powerful tool for various filtering mechanisms. It enables large amounts of data in an HTTP request to be checked and linked using a set of rules. Different actions can be performed for the appropriate request.
Reloading the Configuration File Dynamically

Is possible

Is possible

Is possible
Positive or negative lists
  • Yes, both
  • Mixed also possible
  • Yes, both
  • Mixed also possible
  • Yes, both
  • Mixed also possible
Filterung auf URLs, Behandlung von Groß- und Kleinschreibung

No
  • Yes
  • Default setting is case-insensitive
  • Is configurable
  • Yes
  • Case sensitivity can be configured for each filtering rule
Security logging

Yes

Yes

No
Filtering on client IP addresses, including net masks

Yes

Yes

Yes
Use the Web dispatcher as a URL filter with positive lists. Definitely filter the following URLs as these provide details of the infrastructure and the configuration:
  • /sap/public/icman/*
  • /sap/public/ping
  • /sap/public/icf_info/*

  • Use HTTP Logging and Security Logging.

  • Make the following settings to increase security for the Web Admin interface.

    • Use HTTPS to prevent the password being spied on. To do this, in the URL use an HTTPS port that you set up with profile parameter icm/server_port_<xx>.

    • Allow the administration of the SAP Web Dispatcher to be done only on ports with a secure protocol (HTTPS), by setting the PORT option of the profile parameter icm/HTTP/admin_<xx> to an HTTPS port.

    • Configure admin ports that can only be accessed from the internal network. To do this, use the PORT option of the profile parameter icm/HTTP/admin_<xx>.

    • Only allow administration tasks to be done under a specific host name/IP address that can only be accessed from the internal network. To do this, use the option HOST of the profile parameter icm/HTTP/admin_<xx>.

    • Restrict the administration to clients in the internal network. To do this, use the CLIENTHOST option of the profile parameter icm/HTTP/admin_<xx>.

  • Deactivate support of public monitoring information in the Web admin interface. To do this, use subparameter ALLOWPUB=FALSE of profile parameter icm/HTTP/admin_<xx>. If ALLOWPUB=FALSE, access to administration pages without having to log on is fully deactviated. If ALLOWPUB=TRUE, in the path "public/index.html" read access to certain administration pages are allowed without having to log on (for example, "Monitor", "Active Services", "Core Thread Status", "Host Name Buffer", "Release Information", and "MPI Status"). Access to these pages without having to log on should be restricted. This can be done with subparameters HOST and CLIENTHOST of profile parameter icm/HTTP/admin_<xx>.

For up to date information about security settings for the SAP Web Dispatcher, see SAP Note: 870127 Information published on SAP site.