cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Web dispatcher forwarding issue

former_member237545
Explorer

on ‎08-06-2018 11:12 PM

Hello

I have an issue with my Web Dispatcher configuration. My scenario is like below;

SAP ABAP Server - Internal server

SAP Web Dispatcher 753 - DMZ

External .NET Server - Public internet site

Firewall permitted http(s) port of ICM and message server of ABAP server from Web Dispatcher server to ABAP server. HTTPS port of Web Dispatcher is allowed to SAP ABAP server. External URL is accessible from Web Dispatcher server.

What I want to achieve is, if I put Web Dispatcher link in SAP ABAP Server, like https://webdisp:48000 it should open https://test.externalsite.com/url/url

It is forwarding correctly in Web Dispatcher server, but when I do it in SAP ABAP Server, it is trying to connect https://test.externalsite.com:443 directly. If I change externalsite parameter to some other site, SAP ABAP Server is trying to connect to that site.

I have no intention to open internal sites to internet but I am stuck at configuring web dispatcher.

In Web Disp profile I used below parameters

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, PROT=HTTPS, HOST=test.externalsite.com
wdisp/system_0 = SID=EXT, EXTSRV=https://test.externalsite.com, STICKY=true, SSL_ENCRYPT=2
ssl/ciphersuites = 199:PFS:HIGH:MEDIUM:+e3DES::EC_P256:EC_HIGH
ssl/client_ciphersuites = 214:PFS:HIGH:MEDIUM:+e3DES::EC_P256:EC_HIGH

I also tried adding modification file with below parameters;

if %{SERVER_PORT} = 443 [and] if %{PATH} regimatch "/EXT"
begin
RegIRewriteUrl ^EXT(.*) https://test.externalsite.com/url/url

but got same issue.

Internal SAP ABAP server is trying to external server all the time.

Best regards

Kaan

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

isaias_freitas
Advisor
Advisor
‎08-09-2018 5:32 PM
0 Kudos

Hello Kaan,

Thank you for the information.

The complete ICM trace reveals the issue.

The "connection test" requests the root URI "/", as configured at the SM59 destination.

The ICM then receives a redirect from the external website::

[Thr 1824] HTTP response (raw) [1/185/1]:
[Thr 1824]  HTTP/1.1 302 Found            <<<<<<< redirect response
[Thr 1824]  date: Thu, 09 Aug 2018 15:50:47 GMT
[Thr 1824]  server: Apache                <<<<<<< external website must run on Apache
[Thr 1824]  strict-transport-security: max-age=31536000; includeSubDomains
[Thr 1824]  location: https://test.merchantsafeunipay.com/msu/admin/login   <<< redirect target
[Thr 1824]  content-length: 235
[Thr 1824]  connection: close
[Thr 1824]  content-type: text/html; charset=iso-8859-1
[Thr 1824]  x-xss-protection: 1; mode=block
[Thr 1824]  x-content-type-options: nosniff
[Thr 1824]  set-cookie: sapextlb_EXT=SAP_WDISP_EXTSRV_0_4C614F967D01CBC0; path=/

The ABAP handles the redirect and tries to open the connection to the external website directly.

I believe that you just need to confirm which is the correct URI to be accessed at the external website, so it does not send the redirect.

Or maybe this issue would only occur with the "connection test", and the ABAP application will make the correct calls with no need to change the SM59 destination.

Regards,

Isaías

Show replies
Show replies
former_member237545
Explorer
‎08-09-2018 7:11 PM
0 Kudos

Hello

Changing HTTPS to ROUTER changed my error now. 

icm/server_port_0 = PROT=ROUTER,PORT=54300

but now I am getting HTTP 500 error.

WDP certificates and destination SSL certs imported into ABAP and both target and ABAP certs have been imported into WDP SAPSSLC. Still getting this error.

I added wdisp/ssl_ignore_host_mismatch = 1 into WDP but no changes.


Best regards

Kaan

isaias_freitas
Advisor
Advisor
‎08-09-2018 7:19 PM
0 Kudos

Hello,

Changing the Web Dispatcher protocol to ROUTER is not a valid approach to fix the issue.

Even if we manage to bypass the new issue, the external website will still send the redirect.

Best regards,

Isaías

former_member237545
Explorer
‎08-09-2018 7:35 PM
0 Kudos

So, what shall I do? If I set it to HTTPS instead of ROUTER it is trying to connect to external web site directly

In the ABAP code it is set like "url =https://Shade-WD.SHADE.INTRA:54300/msu/api" and it is returning me this 500 SSL error.

isaias_freitas
Advisor
Advisor
‎08-13-2018 9:45 PM
0 Kudos

Hello Kaan,

The redirect is coming from the external website, not from an SAP component.

The only way to avoid a redirect is to call an URI (URL) that does not lead to a redirect.

For example, instead of defining the "path prefix" as an empty value (at the SM59 destination), define the final path there (like "/some/resource", for example).

Regards,

Isaías

isaias_freitas
Advisor
Advisor
‎08-07-2018 2:52 PM
0 Kudos

Hello Kaan,

The parameter "icm/HTTP/redirect_0" is incomplete and is not taking any effect.

Your modification rule would be redirecting the client directly to the external website, bypassing the Web Dispatcher, which is not what you want, if I understood correctly.

Besides the "wdisp/system_0" parameter, do you have any other "wdisp/system_X" parameter set at the Web Dispatcher profile?

If not, then you should remove your modification rule and the incomplete redirect parameter, and point the ABAP system to the Web Dispatcher host and port. I believe it should work then.

The Web Dispatcher acts as an intermediary (like a proxy), so you will not see the external website's address anywhere. You should only see the Web Dispatcher address, but the external website's content.

Regards,

Isaías

Show replies
Show replies
former_member237545
Explorer
‎08-07-2018 3:55 PM
0 Kudos

Hello

I removed redirect and modification parameters and left only wdisp/system_0 parameter.

wdisp/system_0 = SID=EXT, EXTSRV=https://test.externalsite.com, STICKY=true, SSL_ENCRYPT=2

ABAP server is still trying to connect external server.

What else can we do?

Best regards

Kaan

isaias_freitas
Advisor
Advisor
‎08-07-2018 5:23 PM
0 Kudos

OK, now, edit the RFC destination and put the hostname and port of the Web Dispatcher, instead of the hostname/port of the external website.

Best regards,

Isaías

former_member237545
Explorer
‎08-07-2018 10:51 PM
0 Kudos

Hello

In the RFC it is already WDP hostname and Port number. ABAP Server is trying to reach external server for no reason. If I change parameters for external hostname in WDP, ABAP Server will try to reach to it too with current parameters. I tried that and got same result.

What I want is, ABAP server should only know WDP, nothing else. WDP can process POST and GET actions from external website and forward those requests from/to ABAP server. For some reason ABAP server is trying to bypass WDP.

Best regards

Kaan

isaias_freitas
Advisor
Advisor
‎08-08-2018 8:03 PM
0 Kudos

Hello Kaan,

If the SM59 destination is pointing to the WDP host and port, and the redirect + modification rules were removed at the WDP (WDP restart is required), then I do not see why or how the connection test at the SM59 destination would try to reach the external website directly.

A level 2 trace from the ICM (from the ABAP end) would help to analyze what is happening.

You can increase the ICM trace level to 2, click the "connection test" at SM59, and decrease the ICM trace level back to 1 as soon as the issue is simulated.

Best regards,

Isaías

former_member237545
Explorer
‎08-08-2018 10:29 PM
0 Kudos

Hello

[Thr 1824]
IcmConnConnect: allocate new conn slot


[Thr 1824]
IcmConnCheckStoredClientConn: next client timeout check in 4 sec


[Thr 1824]
IcmConnInitContext: context initialized


[Thr 1824]
REQ TRACE BEGIN: 0/111/1


[Thr 1824]
MPI<171>2#6 PeekSelectInbuf -1 0 244 (1) -> MPI_EOS: End Of Stream


[Thr 1824]
IcmConnInitContext: context initialized


[Thr 1824]
IcmConnConnect: tid: 6, uid: 32, mode: 3, keep_alive_timeout: 10, proc_timeout:
0, wp_timeout: 500


[Thr 1824]
IcmGetServicePtr: ABAPSERVER:44300 - new serv_ref_count: 1


[Thr 1824]
Wed Aug  8 23:20:24:473 2018


[Thr 1824]
IcmIConnConnect: direct connect to test.externalsite.com:443


[Thr 1824]
NiHLGetNodeAddr: found hostname 'test.externalsite.com' in cache
(valid-address/name)


[Thr 1824]
NiHLGetNodeAddr: retrying to get address for 'test.externalsite.com'


[Thr 1824]
NiHLGetNodeAddr: got hostname 'test.externalsite.com' from operating system


[Thr 1824]
NiIGetNodeAddr: hostname 'test.externalsite.com' = addr EXTERNALSITEIP


[Thr 1824]
NiIGetServNo: servicename '443' = port 443


[Thr 1824]
NiICreateHandle: hdl 80 state NI_INITIAL_CON


[Thr 1824]
NiIInitSocket: set default settings for new hdl 80/sock 7988 (I4; ST)


[Thr 1824]
NiIBlockMode: set blockmode for hdl 80 FALSE


[Thr 1824]
NiHLGetHostName: found address EXTERNALSITEIP in cache (valid-address/name)


[Thr 1824]
NiIGetHostName: addr EXTERNALSITEIP = hostname 'test.externalsite.com'

Here is result from ICM logs with Trace 2.

In SM59 I set as Type G, Target host = WDPSERVER, Service No = 48000 (WDP HTTPS Port).

In WDP Parameters there is only wdisp/system_0 parameter as mentioned before but it is not working as I wanted.

Best regards

Kaan

isaias_freitas
Advisor
Advisor
‎08-09-2018 12:35 AM
0 Kudos

Hello,

This line

IcmIConnConnect: direct connect to test.externalsite.com:443

indicates that the ICM is trying to connect to the external site directly.

The ICM receives the target host/port from the ABAP layer (the SM59 "connection test", in this case).

The only possible explanations are that the SM59 destination still has the incorrect data, or that this ICM level 2 trace was collected when something else was performed at the system and not a "connection test" at the SM59 destination that has the correct data.

Best regards,

Isaías

former_member237545
Explorer
‎08-09-2018 9:07 AM
0 Kudos

Hello

There were no other tests performed on the system. SM59 RFC is pointing to WDP only. I reset trace file, set level to 2, did connection test and put logs here.

Best regards

Kaan

former_member230159
Contributor
‎08-09-2018 10:32 AM
0 Kudos

Hello Kaan,

Are you able to do the niping to web dispatcher host and port successfully?

niping -v -H <WDP hostname> -S 443

Regards,

Manjunath

former_member237545
Explorer
‎08-09-2018 11:30 AM
0 Kudos

Hello

From WDP to external server, connection is working, but from ABAP server to WDP only WDP HTTPS port is allowed (48000).

Here is niping result from ABAP server to WDP

C:\Windows\system32>niping -v -H WDPSERVER -S  443 
Hostname/Nodeaddr verification:
=============================== 
Hostname of local computer: ABAPSERVER (NiMyHostName) 
FQHN of local computer: ABAPSERVERWITHFQDN (NiGetOwnFQDN) 
Lookup of hostname: ABAPSERVER (NiHostToAddr) 
   --> IP-Addr.: ABAPSERVERIP 
Lookup of IP-Addr.: ABAPSERVERIP (NiAddrToHost) 
   --> Hostname: ABAPSERVERWITHFQDN 
Lookup of hostname: WDPSERVER (NiHostToAddr) 
   --> IP-Addr.: WDPSERVERIP 
Lookup of IP-Addr.: WDPSERVERIP (NiAddrToHost) 
   --> Hostname: WDPSERVER 
Servicename/Serviceport verification:
======================================= 
Lookup of service: 443                                       (NiServToNo)
    --> Number: 443 
Lookup of service no: 443                                    (NiNoToServ)
    --> Service name: https

former_member230159
Contributor
‎08-09-2018 2:40 PM
0 Kudos

Hello Kaan,

[Thr 1824]
IcmGetServicePtr: ABAPSERVER:44300 - new serv_ref_count: 1
[Thr 1824]
Wed Aug  8 23:20:24:473 2018
[Thr 1824]
IcmIConnConnect: direct connect to test.externalsite.com:443

From the entries I agree with Isaias about icm connecting directly to 443 (backend HTTPS port ). 

IcmGetServicePtr: ABAPSERVER:44300

Why is the abap server taking the port 443 instead of 48000. To me it looks modification rule is not working.

Are you able to see entries like HttpModificationhandler ?

Regards,

Manjunath

former_member237545
Explorer
‎08-09-2018 3:23 PM
0 Kudos

Hello

I already disabled modifications like Isais suggested and only left as active.

wdisp/system_0 = SID=EXT, EXTSRV=https://test.externalsite.com, STICKY=true, SSL_ENCRYPT=2

What I am trying to achieve is; if I want to go https://test.externalsite.com/url1/url2/url3 it should open in SAP via https://wdpserver:48000/url1/url2/url3

And there is no entries with HttpModificationhandler


Best regards

Kaan

isaias_freitas
Advisor
Advisor
‎08-09-2018 4:18 PM
0 Kudos

Hello Kaan,

If the Web Dispatcher only has the "wdisp/system_0" definition, and no other "wdisp/system_X" defined, the redirect and modification rule were removed, and the Web Dispatcher was restarted to activate the changes, then I would say that there is nothing else to check at the Web Dispatcher.

If there was no other test being performed while the ICM level 2 trace was collected, and the only test that was performed was to press the "connection test" button of the SM59 destination being used, the only possible explanation for the ICM to still try to connect to the external website directly is that the SM59 destination was pointing to the external website directly.

Regards,

Isaías

former_member237545
Explorer
‎08-09-2018 4:58 PM
0 Kudos

Hello

I will give openly my target systems. You can now see my exact parameters. I am giving you my WDP profile, SM59 screenshots and full SMICM traces with level 2.

SAPSYSTEMNAME = D00
SAPGLOBALHOST = Shade-WD
SAPSYSTEM = 00
INSTANCE_NAME = W00
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
DIR_PROFILE = \\Shade-WD\sapmnt\D00\SYS\profile
_PF = $(DIR_PROFILE)\D00_W00_Shade-WD
SETENV_00 = PATH=$(DIR_EXECUTABLE);%PATH%
#-----------------------------------------------------------------------
# Back-end system configuration
#-----------------------------------------------------------------------
#wdisp/system_0 = SID=T00, MSHOST=shade-sap, MSSPORT=44401, SSL_ENCRYPT=1, SRCURL=/sap
#rdisp/mshost = shade-sap.shade.intra
#ms/https_port = 44401
wdisp/server_info_protocol = https
wdisp/group_info_protocol = https
wdisp/url_map_protocol = https
wdisp/ping_protocol = https
#-----------------------------------------------------------------------
# Configuration of maximum number of concurrent connections
#-----------------------------------------------------------------------
icm/max_conn = 500
#-----------------------------------------------------------------------
# SAP Web Dispatcher 
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTPS,PORT=54300
#-----------------------------------------------------------------------
# SAP Web Dispatcher Administration
#-----------------------------------------------------------------------
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)
#-----------------------------------------------------------------------
# Start webdispatcher
#-----------------------------------------------------------------------
_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)
Restart_Program_00 = local $(_WD) pf=$(_PF)
SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec
#icm/HTTP/redirect_0 = PREFIX=/, FROM=*, PROT=HTTPS, HOST=test.merchantsafeunipay.com
wdisp/system_0 = SID=EXT, EXTSRV=https://test.merchantsafeunipay.com, STICKY=true, SSL_ENCRYPT=2, SRCURL=/
#icm/HTTP/mod_0 = PREFIX=/, FILE=C:\usr\sap\D00\W00\sec\D00Rule.txt
ssl/server_cache_size = (min($(icm/max_conn) * 4, 100000))
ssl/ciphersuites = 199:PFS:HIGH:MEDIUM:+e3DES::EC_P256:EC_HIGH
ssl/client_ciphersuites = 214:PFS:HIGH:MEDIUM:+e3DES::EC_P256:EC_HIGH

SMICM logs

https://pastebin.com/ZcENYuLT

Best regards

Kaan

Ask a Question