Configuring SAP Web Dispatcher Profile Parameters

SAP recommends that you configure the reverse proxy to use HTTPS/SSL for both inbound and outbound communication. In other words, you configure SAP Web Dispatcher to act as an SSL server towards the mobile client, and as an SSL client towards SAP Mobile Platform.

To set up inbound communication from the client to SAP Web Dispatcher, and outbound communication from SAP Web Dispatcher to SAP Mobile Platform Server, make the following settings:

Configure SAP Web Dispatcher to terminate and reencrypt SSL.
Configure the SAP Web Dispatcher server port.
In order to satisfy the requirement of the Same Origin Policy, all systems in an SAP Fiori app landscape have to be served by a single Web server access point. Therefore, you configure a single icm/server_port in SAP Web Dispatcher to serve all back-end systems of an SAP Fiori scenario.

If you use X.509 client certificates distributed with SAP Afaria for user authentication, by default, Web Dispatcher will forward the client certificate within the HTTP header. In this case, you configure Web Dispatcher to require a valid certificate from the client in order to gain access to application resources.
Configure the connection to your SAP Mobile Platform Server or server cluster
If you installed SAP Mobile Platform in a server cluster, SAP Web Dispatcher will balance the load among the cluster nodes.

Procedure

Open the Web Dispatcher profile file sapwebdisp.pfl.

Configure the following parameters:

Parameter	Example Value
wdisp/ssl_encrypt Determines how SAP Web Dispatcher handles inbound HTTP(S) requests. Specify 1 to terminate and reencrypt inbound HTTPS requests.	wdisp/ssl_encrypt = 1
icm/server_port_<`xx`> Configures the SAP Web Dispatcher server port to use for incoming HTTPS requests. The index <`xx`> is for a number without a leading 0. The indexes do not need to be used in ascending order. The VCLIENT subparameter specifies whether a client must produce a certificate: 0: No certification is required and the server does not ask for one 1: The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is carried out by another method, for example, basic authentication (default setting). 2: The client must transfer a valid certificate to the server, otherwise access is denied.	Example for one-way SSL: icm/server_port_1 = PROT=HTTPS,PORT=9081 Example for mutual SSL: icm/server_port_1 = PROT=HTTPS,PORT=9082,VCLIENT=2
wdisp/system_<`xx`> Configures the Web Dispatcher for your SAP Mobile Platform Server or server cluster. Use EXTSRV to specify the URLs of one or more SAP Mobile Platform servers. The URLs should have the syntax <`protocol`>://<`hostname`>:<`port`> and be separated by semicolons. Note By default, SAP Mobile Platform Server uses port 8081 for one-way HTTPS and port 8082 for mutual HTTPS. End of the note. Use SRCSRV to specify the host/port combination of the source services Use STICKY = true to specify that requests from a client are always forwarded to the same application server for load balancing.	Example for one-way SSL to an SAP Mobile Platform server cluster with 2 nodes: wdisp/system_0 = SID=SEC, EXTSRV=https://smpserver1:8081;https://smpserver2:8081, SRCSRV=:9081, STICKY=true Example for mutual SSL* to an SAP Mobile Platform server cluster with 2 nodes: wdisp/system_0 = SID=MUL, EXTSRV=https://smpserver1:8082;https://smpserver2:8082, SRCSRV=*:9082, STICKY=true

Parameter

Example Value

wdisp/ssl_encrypt

Determines how SAP Web Dispatcher handles inbound HTTP(S) requests. Specify 1 to terminate and reencrypt inbound HTTPS requests.

wdisp/ssl_encrypt = 1

icm/server_port_<xx>

Configures the SAP Web Dispatcher server port to use for incoming HTTPS requests.

The index <xx> is for a number without a leading 0. The indexes do not need to be used in ascending order.

The VCLIENT subparameter specifies whether a client must produce a certificate:

0: No certification is required and the server does not ask for one
1: The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is carried out by another method, for example, basic authentication (default setting).
2: The client must transfer a valid certificate to the server, otherwise access is denied.

Example for one-way SSL:

icm/server_port_1 = PROT=HTTPS,PORT=9081

Example for mutual SSL:

icm/server_port_1 = PROT=HTTPS,PORT=9082,VCLIENT=2

wdisp/system_<xx>

Configures the Web Dispatcher for your SAP Mobile Platform Server or server cluster.

Use EXTSRV to specify the URLs of one or more SAP Mobile Platform servers. The URLs should have the syntax <protocol>://<hostname>:<port> and be separated by semicolons.

Note
By default, SAP Mobile Platform Server uses port 8081 for one-way HTTPS and port 8082 for mutual HTTPS.

End of the note.
Use SRCSRV to specify the host/port combination of the source services
Use STICKY = true to specify that requests from a client are always forwarded to the same application server for load balancing.

Example for one-way SSL to an SAP Mobile Platform server cluster with 2 nodes:

wdisp/system_0 = SID=SEC, EXTSRV=https://smpserver1:8081;https://smpserver2:8081, SRCSRV=*:9081, STICKY=true

Example for mutual SSL to an SAP Mobile Platform server cluster with 2 nodes:

wdisp/system_0 = SID=MUL, EXTSRV=https://smpserver1:8082;https://smpserver2:8082, SRCSRV=*:9082, STICKY=true

Note Note

If the SAP Web Dispatcher instance is used only for SAP Mobile Platform, you only need the wdisp/system_<xx> parameter to specify the system. The additional parameters rdisp/mshost, ms/http_port, and ms/https_port are irrelevant in this scenario, and should be removed to avoid confusion.

End of the note.

Restart SAP Web Dispatcher.

More Information

Setting Up Communication Channels

SAP Web Dispatcher: Setup of Communication