Security Information for SAP Web Dispatcher
To guarantee maximum security when the Web Dispatcher is running, SAP recommends the following measures:
Always use the latest version of the Web Dispatcher. How you import the latest Web Dispatcher is described in Operation of the SAP Web Dispatcher,
Importing the SAP Web Dispatcher
.Use the encrypted HTTPS protocol instead of HTTP.
For more information, see Configuring the SAP Web Dispatcher to Support SSL
To prevent the use of unencrypted HTTP, you have to change the protocl of the rewrite handler from HTTP to HTTPS. This will prevent error messages in the browser if users inadvertently access the system with an HTTP URL. Note that not all HTTP clients follow this redirect. While the redirect configuration ensures that no HTTP access to the system is possible, it is possible that individual users of the system, e.g. web service end points, must be switched from HTTP to HTTPS.
You should also use HTTPS between SAP Web Dispatcher and back-end systems (profile parameter
wdisp/ssl_encrypt
), if the network between SAP Web Dispatcher and back-end systems is not sufficiently secured with other means.Configure your own error pages to ensure the technical reason for the error is not shown to the end user. Make the following setting:
icm/HTTP/error_templ_path = /usr/sap/B6M/D13/data/icmerror
.
Alternatively you can set parameter
is/HTTP/show_detailed_errors
to FALSE. Then no information about the error is passed to the client.For more information, see Error Handling.
Use filters to restrict access to your system at different levels. SAP Web Dispatcher provides various filtering mechanisms. We recommend you use the most simple mechanism that meets security requirements. For example, if ACLs are sufficient, use these. The next level would be the authentication handler, and the top level would be the rewrite handler. This avoids an unnecessarily complex configuration, which itself contributes to system security too.
If you specify negative lists (deny entries) in URL filters, use case-insensitive filters because AS ABAP treats URLs as case-insensitive.
Filter mechanism |
ACL files |
Authentication Handler |
HTTP request manipulation handler |
Use |
Use ACL files to restrict access to specific client IP addresses or client IP address areas if the restriction does not depend on the content of the HTTP request (nor on the URL), and no HTTP error page is required. For more information, see: Setting Up Access Control Lists (ACL) |
Use the authentication handler to set up URL filters. Rules in the authentication handler can also refer to specific client IP addressesn, or to server IP addresses. More information: icm/HTTP/auth |
Use the HTTP rewrite handler for filters that cannot be mapped by ACL files or the authentication handler. The rewrite handler is a powerful tool for various filtering mechanisms. It enables large amounts of data in an HTTP request to be checked and linked using a set of rules. Different actions can be performed for the appropriate request. For more information, see Modifying HTTP Requests. |
Reloading the Configuration File Dynamically |
Possible |
Possible |
Possible |
Positive or negative lists |
Both, also mixed possible |
Both, also mixed possible |
Both, also mixed possible |
Filters on URLs, handling uppercase and lowercase |
- |
The redirect is active in the default setting. |
Yes, case sensitivity can be configured for each filtering rule |
Security logging |
Yes |
Yes |
No |
Filtering on client IP addresses, including net masks |
Yes |
Yes |
Yes |
Make the following settings to increase security for the Web Admin interface.
Use HTTPS to prevent the password being spied on. To do this, in the URL use an HTTPS port that you set up with parameter icm/server_port_<xx>.
Allow the administration of the Web Dispatcher to be done only on ports with a secure protocol (HTTPS), by setting the PORT option of parameter icm/HTTP/admin_<xx> to an HTTPS port.
As the admin port configure a port that can only be accessed from the internal network. To do this use the PORT option of parameter icm/HTTP/admin_<xx>.
Only allow administration tasks to be done under a specific host name/IP address that can only be accessed from the internal network. Use option HOST of parameter icm/HTTP/admin_<xx>.
Restrict the administration to clients in the internal network. To do this use the CLIENTHOST option of parameter icm/HTTP/admin_<xx>.
For more information see Using the Web Administration Interface.
More Information
For up to date information about security settings for the Web dispatcher refer to 870127
.