Show TOC

Background documentationicm/HTTP/auth_<xx> Locate this document in the navigation structure

 

With this parameter you can set up access restrictions in the ICM and SAP Web Dispatcher (as “white list” or “black list”).

To protect ICM and the back end system (AS ABAP or AS Java) there is an HTTP subhandler (filter), which can block requests using various criteria. When the filter is activated, it filters each HTTP(S) request to ICM or Web Dispatcher, before the request is sent to another HTTP handler (file access, cache, administration, redirect), or to the backend system (AS ABAP or AS Java).

You can filter requests according to the following criteria:

  • URL

  • Client IP Address

  • Server IP Address

  • User name/user group and password

  • String search in the URL

Structure

Work area

Internet Communication Manager, SAP Web Dispatcher

Unit

Character string

Default value

icm/HTTP/auth_0= PREFIX=/, FILTER=SAP

Dynamically changeable

No
Value Range and Syntax

To set up the access restrictions use the parameter with the following syntax:

Syntax Syntax

  1. icm/HTTP/auth_<xx> = PREFIX=<URL-Präfix>
[,PERMFILE=<permission file>, AUTHFILE=<authentication file>, 
FILTER=<name>]
End of the code.

The <xx> index is a number without a leading 0. You do not need to use the indexes in ascending order; that is, you can, for example, configure only icm/HTTP/auth_2.

Note Note

Not all combinations of options are possible. The following combination is useful:

  • icm/HTTP/auth_<xx> = PREFIX =<prefix>

  • icm/HTTP/auth_<xx> = PREFIX =<prefix>, PERMFILE=<permfile>

  • icm/HTTP/auth_<xx> = PREFIX =<prefix>, PERMFILE=<permfile>, FILTER=<filtername>

  • icm/HTTP/auth_<xx> = PREFIX =<prefix>, PERMFILE=<permfile>, AUTHFILE=<authfile>

  • icm/HTTP/auth_<xx> = PREFIX =<prefix>, PERMFILE=<permfile>, AUTHFILE=<authfile>, FILTER=<filter name>

There is no point in having an AUTHFILE without a PERMFILE. It only makes sense to deactivate the filter if a PERMFILE is being used.

End of the note.

This is explained below.

  • PREFIX

    URL prefix for which the HTTP subhandler is to be called.

  • PERMFILE

    Optional specification:

    Name of the permission file in the file system

  • AUTHFILE

    Optional specification:

    Name of the user file or system for authentication of an operating system user

  • FILTER

    Optional specification:

    Name of the profile for the search template (default: SAP). If you leave out the option, you are deactivating the filter. The filter can be dynamically activated/deactivated by setting the parameter csi/enable. You can dynamically activate/deactivate filtering using the parameter csi/enable. You can find the parameter on the Web administration interface.

  • CASE

    Specifies the case sensitivity of URL prefixes in PERMFILE. TRUE means that the URL prefixes are handled case-sensitively. FALSE means that the URL prefixes are handled case-insensitively. The default is FALSE. We also recommend this setting.

    Since AS ABAP handles URLs case-insensitively, you should always configure negative lists case-insensitively. CASE=TRUE can only be used meaningfully if the permission file only contains positive entries (entries of type "P").

PERMFILE

In the permission file you determine the type of access protection. The permission file has the following structure:

  • Comment lines start with a # and are ignored.

  • Other lines have the form:

    P/D/S <URI pattern> <USER> <GROUP> <CLIENT-IP> <SERVER-IP>

    where the letter at the start of the line has the following meaning:

    • P (Permit)lets the request through.

    • D (Deny)refuses the request and sends a message to the client.

    • S (Secure)only allows secure connections (HTTPS) for the URL prefix.

    • <URI pattern> is the section of the URL that is labeled in the cache key section as translated path.

  • You can use the wildcard character * for the URI pattern, but only at the start or the end of the <URI pattern> string.

  • For the client and server IP address you can use an exact comparison, the wild card character *, or the net mask syntax.

The default value of empty entries is *, which permits everything.

The conditions are checked from top to bottom.

If one of the condition for D or P is true, the check ends, and the request is permitted or denied by the subhandler.

If none of these conditions in the table is met, the request is denied.

Caution Caution

Note the following:

The default setting of the URI access table is case insensitive.

The lines in the table are processed from top to bottom. Therefore it is important that the specific entries are defined at the start of the table (see example 2).

End of the caution.

Table “permfile.txt” enables access to /sap/admin through server IP address 192.168.2.40. Only client IP addresses from subnetwork 192.168.1.0/24 are valid.

Example 1: icm/HTTP/auth_0 = PREFIX=/sap/admin, PERMFILE=permfile.txt, AUTFILE=autfile.txt

URI Pattern

User

Group

Client IP Address

Server IP Address

P

/sap/admin

*

admin

*

10.18.55.40

P

/sap/admin/*

*

admin

10.*.55.*

10.18.55.*

Table “permfile2.txt” enables access to URI /sap/bc/echo only through client IP address 10.18.55.50. All other URIs below /sap/bc/ are not blocked.

Example 2: icm/HTTP/auth_1 = PREFIX=/sap/bc, PERMFILE=permfile2.txt

URI Pattern

User

Group

Client IP Address

Server IP Address

P

/sap/bc/echo

*

*

10.18.55.50

*

D

/sap/bc/echo

*

*

*

*

P

/sap/bc/*

*

*

*

*
AUTHFILE (optional)

The AUTHFILE determines the permitted users and passwords, and is required if entries for USER or GROUP are made in the permission file.

Possible values for AUTHFILE:

  • System: The user is authenticated against an operating system user.

  • <File name>: File with user name, group name, and protected passwords.

The authorization file can be generated and maintained using programs wdispmon and icmon (Option -a). It has the following structure:

  • Comment lines start with a # and are ignored.

  • Other lines have the form:

    <User>:<password hash>:<user group>:<DN client certificate>

Example

Authentication for the ICM and SAP Web Dispatcher:

test:$apr1$/iTOQ$EOABCDFDDj55EqL0:user

sidadm:$apr1$/iTOQ$EOcAYBCD55EqL0:admin

Integration

The authentication subhandler extends the functions of the SAP Web Dispatcher URL filter and of the authentication of the Web-based administration interface.

When this access filter is used the two other procedures can be deactivated:

  • SAP Web Dispatcher URL filter:

    wdisp/permission_table =

  • Web administration interface:

    icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=./admin,AUTHFILE=none

More Information

Note the following documentation associated with this parameter:

icm/HTTP/admin_<xx>

Using the Web Administration Interface with X.509 Certificate

Creating Administration Users

Using the Command Line Programs icmon and wdispmon