To guarantee maximum security when the Web Dispatcher is running, SAP recommends the following measures:
Always use the most up-to-date SAP Web Dispatcher: SAP Note 538405 describes where you can find the newest version. Search regularly for SAP Security Notes that affect the SAP Web Dispatcher.
Use HTTPS instead of HTTP.
Use the rewrite handler to configure a protocol switch from HTTP to HTTPS. This fully prevents the use of unencrypted HTTP. This also prevents error messages in the browser if users inadvertently access the system with an HTTP URL. Note that not all HTTP clients follow the redirect. Even if this redirect configuration ensures that no HTTP access to the system is possible, it is possible that individual users of the system, e.g. web service end points, must also be switched from HTTP to HTTPS.
Also use HTTPS between the SAP Web Dispatcher and the back-end systems. Use profile parameter: wdisp/ssl_encrypt, if the network between SAP Web Dispatcher and the back-end systems is not sufficiently secured otherwise.
Use filters to restrict access to your system at different levels. SAP Web Dispatcher provides various filtering mechanisms. We recommend you use the most simple mechanism that meets security requirements. For example, if ACLs are sufficient, use these. The next level would be the authentication handler, and the top level would be the rewrite handler. This avoids an unnecessarily complex configuration, which itself contributes to system security too.
Filter mechanism |
ACL files |
Authentication Handler |
HTTP Rewrite Handler |
---|---|---|---|
Use | Use ACL files to restrict access to specific client IP addresses or client IP address areas if the restriction does not depend on the content of the HTTP request (nor on the URL), and no HTTP error page is required. |
Use the authentication handler to set up URL filters. Rules in the authentication handler can also refer to specific client IP addresses, or to server IP addresses. |
Use the HTTP rewrite handler for filters that cannot be mapped by ACL files or the authentication handler. The rewrite handler is a powerful tool for various filtering mechanisms. It enables large amounts of data in an HTTP request to be checked and linked using a set of rules. Different actions can be performed for the appropriate request. |
Reloading the Configuration File Dynamically | Is possible |
Is possible |
Is possible |
Positive or negative lists |
|
|
|
Filterung auf URLs, Behandlung von Groß- und Kleinschreibung | No |
|
|
Security logging | Yes |
Yes |
No |
Filtering on client IP addresses, including net masks | Yes |
Yes |
Yes |
Use HTTP Logging and Security Logging.
Make the following settings to increase security for the Web Admin interface.
Use HTTPS to prevent the password being spied on. To do this, in the URL use an HTTPS port that you set up with profile parameter icm/server_port_<xx>.
Allow the administration of the SAP Web Dispatcher to be done only on ports with a secure protocol (HTTPS), by setting the PORT option of the profile parameter icm/HTTP/admin_<xx> to an HTTPS port.
Configure admin ports that can only be accessed from the internal network. To do this, use the PORT option of the profile parameter icm/HTTP/admin_<xx>.
Only allow administration tasks to be done under a specific host name/IP address that can only be accessed from the internal network. To do this, use the option HOST of the profile parameter icm/HTTP/admin_<xx>.
Restrict the administration to clients in the internal network. To do this, use the CLIENTHOST option of the profile parameter icm/HTTP/admin_<xx>.
Deactivate support of public monitoring information in the Web admin interface. To do this, use subparameter ALLOWPUB=FALSE of profile parameter icm/HTTP/admin_<xx>. If ALLOWPUB=FALSE, access to administration pages without having to log on is fully deactviated. If ALLOWPUB=TRUE, in the path "public/index.html" read access to certain administration pages are allowed without having to log on (for example, "Monitor", "Active Services", "Core Thread Status", "Host Name Buffer", "Release Information", and "MPI Status"). Access to these pages without having to log on should be restricted. This can be done with subparameters HOST and CLIENTHOST of profile parameter icm/HTTP/admin_<xx>.
For up to date information about security settings for the SAP Web Dispatcher, see SAP Note: 870127 .