cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Webdispatcher configuration for ABAP Dynpro

Go to solution
kunal_belnekar3
Explorer

on ‎05-20-2014 8:18 PM

0 Kudos

Hi,

This is what we are trying to achieve

Typing http://mycustomURL should redirect me to https://mySapWebAS:port/nwbc

The browser should display https://mycustomURL/

Configuration:

We have a Web Dispatcher on the same SAP Web Application server (Let's call it mySapWebAS as "eccdev"). We also have a DNS alias for mycustomURL pointing to eccdev

Below are the parameters of the Web Dispatcher

icm/server_port_1 = PROT=HTTP,PORT=80,EXTBIND=1,TIMEOUT=300,PROCTIMEOUT=300,HOST=mycustomURL.domain.com

icm/server_port_2 = PROT=HTTPS,PORT=443,EXTBIND=1,TIMEOUT=300,PROCTIMEOUT=300,HOST=mycustomURL.domain.com

icm/HTTP/redirect_0=PREFIX=/,TO=/sap/bc/nwbc,FROM=*,PROT=HTTPS,HOST=eccdev.domain.com,PORT=8001(8001 is icm port for HTTPS)

In tcode SMMS, both HTTP and HTTPS ports  are open.

MS Ports: HTTP: 8100, HTTPS: 8101

Also are SMICM ports

ICM Ports: (8000 for HTTP and 8001 for HTTPS)

I also have SSL configured for Web AS. So https://eccdev:8001/nwbc works fine. No certificate errors there.

Issue:

1. When I use parameter icm/HTTP/redirect_0=PREFIX=/,TO=/sap/bc/nwbc,FROM=*,PROT=HTTPS,HOST=eccdev.domain.com,PORT=8001, I am able to get the URL (https://eccdev.domain.com:8001/sap/bc/nwbc) without certificate errors, but I have the hostname eccdev.domain.com and the port displayed, both of which I would like to hide.

2. If I change the parameter to icm/HTTP/redirect_0=PREFIX=/,TO=/sap/bc/nwbc,FROM=*,PROT=HTTPS,HOST=mycustomURL.domain.com, the URL does not have the eccdev hostname but I am getting a invalid certificate message.

3. If I remove the PORT=8001 from the redirect, the request does not resolve.

I have tried

1. URL modification: icm/HTTP/mod_0 = PREFIX=/,FILE=/usr/sap/sapwebdispatcher/icm_filter_rules.txt

The file icm_filter_rules.txt

if %{HTTP_HOST} regimatch "eccdev.domain.com"

RegIRewriteUrl (.*)/nwbc [qsreplace]

There are other things I have tried which I will add depending on the comments/questions I receive.

Question:

Why does the request not resolve when I remove the port parameter from the redirect ? Should it not ?

Any idea why I get the certificate error when I use HOST=mycustomURL.domain.com when I use that name in the redirect ?

Does the URL rewrite have a syntax error ? Why does that not work ?

Web Dispatcher log is as shown below

[Thr 140721784076048] =================================================

[Thr 140721784076048] = SSL Initialization    platform tag=(linuxx86_64_gcc41)

[Thr 140721784076048] =   (711_REL,Sep  7 2012,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 140721784076048]   profile param "ssl/ssl_lib" = "/usr/sap/SID/DVEBMGS00/sec/libsapcrypto.so"

[Thr 140721784076048]            resulting Filename = "/usr/sap/SID/DVEBMGS00/sec/libsapcrypto.so"

[Thr 140721784076048] =   found SAPCRYPTOLIB  5.5.5C pl36  (Jul  3 2013) MT,AESNI,NB

[Thr 140721784076048] =   current UserID: "sidadm",  env-var USER="sidadm"

[Thr 140721784076048] =   found SECUDIR environment variable

[Thr 140721784076048] =   using SECUDIR=/usr/sap/SID/DVEBMGS00/sec

[Thr 140721784076048]   profile param "ssl/server_pse" = "/usr/sap/SID/DVEBMGS00/sec/MY.pse"

[Thr 140721784076048]            resulting Filename = "/usr/sap/DEV/DVEBMGS00/sec/MY.pse"

[Thr 140721784076048]   profile param "ssl/client_pse" = "/usr/sap/SID/DVEBMGS00/sec/SAPSSLC.pse"

[Thr 140721784076048]            resulting Filename = "/usr/sap/SID/DVEBMGS00/sec/SAPSSLC.pse"

[Thr 140721784076048] =  secudessl_Create_SSL_CTX():  PSE "/usr/sap/SID/DVEBMGS00/sec/sec/SAPSSLA.pse" not found,

[Thr 140721784076048] =      using PSE "/usr/sap/SIDDVEBMGS00/sec/SAPSSLC.pse" as fallback

[Thr 140721784076048] = Success -- SapCryptoLib SSL ready!

[Thr 140721784076048] =================================================

ICMBND log

RAW handle for "mycustomURL.domain.com:443" (only on this adapter) successfully bound

icmbnd: exit process with rc=0

RAW handle for "mycustomURL.domain.com:80" (only on this adapter) successfully bound

icmbnd: exit process with rc=0

Other parameters set for Web Disp

icm/HTTPS/verify_client = 0

wdisp/add_clientprotocol_header = 1

wdisp/ssl_encrypt = 1

wdisp/add_clientprotocol_header = 1

Any help will be appreciated.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-20-2014 9:28 PM
0 Kudos

1. Redirects are exactly what the name says, Web Dispatcher will return a HTTP variable indicating that the content has been moved and instructs the client to look at a new location which the client does assuming it reacts to redirects. See the Wikipedia article on URL redirection for details. The only way you can hide parts of the URI is by rewriting URLs in Web Dispatcher. I would however recommend against it because the rewrite rules can get complicated not to mention you could break client applications.

2. Because the SSL server certificate hostname doesn't match with the hostname of the request.

3. Because it uses port 443 which is the HTTPS port of Web Dispatcher.

Show replies
Show replies
kunal_belnekar3
Explorer
‎05-21-2014 12:12 AM
0 Kudos

"Because the SSL server certificate hostname doesn't match with the hostname of the request"

Thank you ! That helped me and made me look at the certificate the browser was receiving. I regenerated all the Server PSEs with the customURLname and that worked. Ofcourse the documentation does not cater to what I need to do.

Any ideas on how to get the rewrite to work ? I am using the below function

if %{HTTP_HOST} regimatch "eccdev.domain.com"

RegIRewriteUrl (.*)/nwbc [qsreplace]

I don't see the other apps being affected. We do not have any other dynpro apps. Plus there is a predefined alias /nwbc. So we should be safe.

Former Member
‎05-21-2014 12:26 AM
0 Kudos

Sorry I can't help you implement the URL rewrite because a) it's a bad idea b) it would take a lot of time. It is easy to just add /nwbc to any URL, the challenge becomes what if the original URL already contained /nwbc and something after that, e.g. /nwbc/~api/getnavigationtrees? What if the URL didn't contain /nwbc but some other ICF alias/service that NWBC uses, etc.

Answers (0)

Ask a Question