SAP Web Dispatcher and SSL (SAP Library - Architecture of the SAP Web Application Server)

SAP Web Dispatcher and SSL

Unlike HTTP, with HTTPS (end-to-end SSL) the SAP Web dispatcher cannot read any request data and therefore cannot interpret any session cookies that may be available (with stateful applications). The necessary information for forwarding the request to the correct server is therefore missing. The SAP Web dispatcher cannot decide whether the request belongs to a stateless or a stateful application.

As a result, the SAP Web dispatcher forwards the encoded data unchanged to the application server, where the data is finally decoded.

The only distinguishing criterion that is available to the SAP Web dispatcher is the client IP address. As a result, the SAP Web dispatcher manages a mapping table between the client IP address and the application server. If a request from a client IP address is sent to application server X, all subsequent requests from this client IP address must also be sent to this sever, since it could well be a stateful application. Load balancing therefore only takes place upon the very first client request.

Problems

This process hides the following problems.

All companies use proxies. This means that requests that are sent via a proxy are sent to one server. As a result, this cancels load balancing with the first request.
Large companies use several parallel proxies (which in turn also balance load) as access to the Internet. This means that a request from the same client is sent via proxy A, and a later request from the same client, belonging to the same session, is sent via proxy B to the SAP Web dispatcher, and therefore has a different client IP address.

Solution

You can use profile parameter wdisp/HTTPS/sticky_mask to group several client IP addresses into a logical address. Profile Parameter of the SAP Web Dispatcher describes the exact functions of this parameter.

The default is: Mask 255.255.240.0 is joined with the real IP address UND; this hides the lowest 12 Bits, that is, 124.94.55.1 and 124.94.55.99 are then interpreted as the same.

Mapping Table

The mapping table, which is used by the SAP Web dispatcher to manage client IP addresses and the application severs that are assigned, has the following properties.

The size of the mapping table depends on the sticky mask. The more bits that are hidden, the smaller the mapping table becomes. Profile parameter wdisp/HTTPS/max_client_ip_entries defines the maximum number of entries that this table can hold. Profile Parameter of the SAP Web Dispatcher describes the exact functions of this parameter.

Caution

Note: If the mapping table is full, that is, the value of wdisp/HTTPS/max_client_ip_entries has been reached, the SAP Web dispatcher no longer balances the load! The parameter should therefore always be set according to your needs and resources.

There is no timeout for the entries in the mapping table. If a server is shut down, the context is deleted on this server. The system looks for a new server for the client IP address.

Selecting a Suitable Application Server

HTTP-Enabled Application Server

With parameter wdisp/HTTPS/dest_logon_group (see Profile Parameter of the SAP Web Dispatcher) you define a logon group with HTTPS-enabled application servers, to which all HTTPS request are then sent.

ABAP or J2EE Server

Since the SAP Web dispatcher cannot decide whether a request should be processed by an ABAP or a J2EE server, all servers in the logon group for HTTPS requests must provide the same services. Of course, all servers must be HTTPS-enabled, and one of the following points must apply:

All servers offer J2EE and ABAP
All servers offer ABAP only
All servers offer J2EE only