The whitelist is maintained in a single text file in the admin folder.
For Microsoft Windows Server 2003 this file is located in %ALLUSERSPROFILE%\Application Data\SAP\NWBC\Whitelist.ini.
For all other operating systems this file is located in %ALLUSERSPROFILE%\SAP\NWBC\Whitelist.ini.
The file format is very similar to standard Windows INI files. Each system is initiated by a header consisting of the SID (for SAP EP connections it is the connection name) embedded in square brackets, for example [ABC]. Be aware that the system ID is case-sensitive.
Following the header line, each whitelist pattern is stated in a separate line, for example, *://*.mydomain.com:*/*.
The file can contain comments that are initiated by a semicolon, for example:
; this is a comment line
It is possible to define global whitelist patterns that are applied for all systems. These are defined in the [*] section.
A whitelist pattern for standard http/ https/ ftp URLs consists of four parts: the protocol, the host, the port, and the path. It is possible to use wildcards to generalize the pattern:
The protocol must be specified either complete or using a * for any protocol. It is not possible to define only parts of the protocol, for example, this is not allowed: http*://
The host can be generalized by using a single * at the very beginning, for example, *.myhost.mydomain
The port is optional. In case you do not state the port, the default port for the protocol is used, that is 80 for http, 443 for https. A * stands for any port.
The path can be generalized by using a single * at the very end, for example, /allowed/path/*
It is also possible to specify other protocols like file: or mailto:. These are handled as having only two parts, the protocol and the path.
An example Whitelist.ini file could look like this:
; global entries for all systems
[*]
*://*.mydomain.com:*/*
; system ABC
[ABC]
*://*.google.com/*
; a connection against an SAP portal using the connection name 'My Portal Connection'
[My Portal Connection]
; for simplicity a * can be used to allow all * (equivalent to *://*:*/*)
*