icm/HTTP/auth_<xx> 
Use
With this parameter you can set up access restrictions in the ICM and SAP Web Dispatcher.
To protect the ICM and the back end system (ABAP or J2EE Engine) there is an HTTP subhandler (filter), which can block requests using various criteria.When the filter is activated, it filters each HTTP(S) request to the ICM or Web Dispatcher, before the request is sent to another HTTP handler (file access, cache, administration, redirect), or to the backend system (ABAP or J2EE Engine).
See:
SAP Web Dispatcher as
a URL Filter
You can filter requests according to the following criteria:
● URL
● Client IP address
● Server IP address
● User name/user group and password
● String search in the URL
Integration
The authentication subhandler extends the functions of the SAP Web Dispatcher URL filter and of the authentication of the Web-based administration interface.
When this access filter is used the two other procedures can be deactivated:
● SAP Web Dispatcher URL filter:
wdisp/permission_table =
● Web administration interface:
icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=./admin,AUTHFILE=none
Properties
Work area |
Internet Communication Manager, SAP Web Dispatcher |
Unit |
Character string |
Standard value |
icm/HTTP/auth_0= PREFIX=/, FILTER=1 |
Dynamically changeable |
No |
Value Range and Syntax
To set up the access restrictions use the parameter with the following syntax:
icm/HTTP/auth_<xx> = PREFIX=<URL prefix>[,PERMFILE=<permission file> [,AUTHFILE=<authentication file>, FILTER=1]
<xx> must be specified in ascending order from "0".
This is explained below.
● PREFIX
URL prefix for which the HTTP subhandler is to be called.
● PERMFILE
Optional specification:
Name of the permission file in the file system
● AUTHFILE
Optional specification:
Name of the user file or system for authentication of an operating system user
● FILTER
Optional specification:
Activate string search (default value: on) If you switch it to 0, the filter is deactivated.For more information see Muster.
PERMFILE
In the permission file you determine the type of access protection. The permission file has the following structure:
● Comment lines start with a # and are ignored.
● Other lines have the form:
P/D/S <URI-pattern> <USER> <GROUP> <CLIENT-IP> <SERVER-IP>
where the letter at the start of the line has the following meaning:
○ P (Permit)lets the request through.
○ D (Deny)refuses the request and sends a message to the client.
○ S (Secure)only allows secure connections (HTTPS) for the URL prefix.
○ <URI pattern> is the section of the URL that is labeled in the cache key section as translated path.
● You can use the wildcard character * for the URI pattern, but only at the start or the end of the <URI pattern> string.
The default value of empty entries is *, which permits everything.
For a request to be allowed through with P (Permit), all the conditions must be fulfilled.
With D (Deny) only one condition has to be fulfilled for the request to be rejected.
The conditions are checked from top to bottom.
If one of the condition for D or P is true, the check ends, and the request is permitted or denied by the subhandler.
Note that the URI permission table is case sensitive.
Example
|
URI Pattern |
User |
Group |
Client IP address |
Server IP address |
D |
/pub |
someone |
* |
|
|
D |
/pub |
* |
* |
* |
10.18.55.50 |
P |
/sap/admin |
* |
admin |
* |
10.18.55.40 |
D |
/ |
* |
* |
* |
* |
Use positive lists
Since the URL permission table is case sensitive, it is important to create the table as a positive list.
Execute all the URLs that are to be permitted and at the end of the table set row D / * * * *
AUTHFILE (optional)
The AUTHFILE determines the permitted users and passwords, and is required if entries for USER or GROUP are made in the permission file.
Possible values for AUTHFILE are:
● System
The user is authenticated against an operating system user.
● <File name>
File with user name, group name, and protected passwords.
The authorization file can be generated and maintained using the program icmon (icmon -a). It has the following structure:
● Comment lines start with a # and are ignored.
● Other lines have the form:
<user>:<password hash>:<user group>:<DN client certificate>
Example
Authentication for the ICM and SAP Web Dispatcher:
test:$apr1$/iTOQ$EOABCDFDDj55EqL0:user sidadm:$apr1$/iTOQ$EOcAYBCD55EqL0:admin |
More Information
Note the following documentation:
Using Web Admin
Interface with X.509 Certificate