cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Web Dispatcher as Front-end webserver to use with SiteMinder

Go to solution
Former Member

on ‎07-10-2012 3:22 PM

0 Kudos

Hi,

We've implemented external facing portal with SAP Web Dispatcher as reverse proxy and it is working perfectly fine. This is our current setup.

Browser -> Hardware load balancer (CSS) -> SAP Web Dispatcher (this is in DMZ) -> SAP J2EE Engine (in intranet, uses ABAP UME) -> SAP ECC (in intranet).

Currently the authentication is happening in intranet. We want to perform the authentication in DMZ. To accomplish this, we are planning to synchronize the LDAP in the DMZ with the ABAP UME in intranet and use CA (Netegrity) SiteMinder for authentication. I read through several documents and posts on SDN and it appears that we've to use Apache or IIS as front-end webserver where we've to install the SiteMinder Web Agent and Session Linker. Knowing that SAP Web Dispatcher has limited capability (not a full fledged reverse proxy), is there a way to use SAP Web Dispatcher as front-end webserver?

Thanks
Ram

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-10-2012 11:32 PM
0 Kudos

Hi Ram,

Do I understand correctly that you want to install the SiteMinder web agent on the SAP Web Dispatcher, instead of using Apache or IIS? I don't believe this is possible, the SAP Web Dispatcher isn't a webserver like apache or IIS... check the SiteMinder supported web servers where you can install the web agent... I doubt that SAP Web Dispatcher is one of them is it?

One other solution you might consider is to put an empty Java stack into the DMZ that is used only for authentication and connects to the DMZ LDAP. This Java stack would issue a valid SAP Logon ticket to the authenticated user and then forward them into the intranet zone where the existing portal can be configured to accept the ticket.

BRgds,

Simon

Show replies
Show replies
Former Member
‎07-11-2012 1:48 AM
0 Kudos

Thanks Simon.

I too thought SAP Web Dispatcher cannot handle this but wanted to hear from fellow SCN members. You are correct, SAP web dispatcher is not listed as supported web servers in SiteMinder documentation.

I like your idea of installing a dummy javastack in DMZ and pointing it to LDAP and generate a logon ticket. This will eliminate the need to use SiteMinder. However our company is heading towards using SiteMinder as we foresee requirements to integrate with non-SAP applications and also some external applications. Using SiteMinder will enable all types of SSO. Most likely we'll end up using Apache.

Originally we thought of using Apache for reverse proxy but went with SAP Web Dispatcher because SAP said they officially support only Web Dispatcher. If we end up going with Apache, is it better to use it as both front-end web server and reverse proxy? Or use it only as front-end web server and use SAP Web Dispatcher for reverse proxy and load balancing?

Thanks

Ram

Former Member
‎07-11-2012 4:36 AM
0 Kudos

Hi Ram,

I can't comment regarding the best configuration to use, all I can tell you is that I worked on site once where they used both Apache and SAP Web Dispatcher in the solution. They seemed to work well together.

Using SiteMinder makes lots of sense for enabling third party SSO too. I suppose another option esp. for third party sso is to use SAML.

Good luck!

Simon

hofmann
Active Contributor
‎07-11-2012 12:37 PM
0 Kudos 
but went with SAP Web Dispatcher because SAP said they officially support only Web Dispatcher

SAP Web Dispatcher is the preferred software solution for reverse proxy with load balancing, as WD understands the SAP load balancing protocol (message server). I doubt that you'll have no support when using Apache as the reverse proxy. Although with Apache you won't get into the benefit of the "smart" load balancing WD does.

Former Member
‎07-11-2012 2:05 PM
0 Kudos

You are right Tobias. WD can do better load balancing (interaction with message server, weighted round-robin and session stickiness with saplb cookie) compared to others. We'd another reason to not go with Apache as it required enabling mod_proxy module and our enterprise security team raised a concern about it.

Regarding support, this is what SAP told us.

"We cannot help with troubleshooting the proxy server as it is not from SAP."

Thanks

Ram

hofmann
Active Contributor
‎07-11-2012 7:41 PM
0 Kudos

You can use apache as RP and still open OSS messages, it's just that SAP's support staff won't help you in your apache configuration.

What kind of concern did your security team raise? And what will be your alternative?

Former Member
‎07-11-2012 9:32 PM
0 Kudos

Tobias,

Our security team ran Qualys scans and found that there are some known vulnerabilities with mod_proxy (http://httpd.apache.org/security/vulnerabilities_22.html). We used to get sporadic proxy errors like 'Error reading from remote server", "204 No content" etc. and that is when we tried get some help from SAP. Anyway this was 6 months ago. We went with SAP WD and have no issues so far.

With the SiteMinder initiative now, we'll have to look into Apache as RP again. Do you have any suggestion/preference between below options?

Option 1:

Browser -> Hardware Load balancer ->Apache (Front-end web server, Reverse proxy, load balancer) -> SAP J2EE Engine -> SAP ECC

Option 2:

Browser -> Hardware Load balancer ->Apache (Front-end web server) -> SAP Web Dispatcher (Reverse proxy, load balancer) -> SAP J2EE Engine -> SAP ECC

Thanks

Ram

hofmann
Active Contributor
‎07-12-2012 1:35 PM
0 Kudos

Ram,

well, not using a software because of known security issues that are fixed makes your corporate security team work interesting. You can still use the newest version of Apache: 2.4.2. SAP support won't solve issues regarding your proxy configuration, but your landscape is still supported. In that regard, I would choose option 2:

You get load balancing and reverse proxy with Web Dispatcher and when you suspect/encounter an error with Apache / Siteminder, you can still access SAP via Web Dispatcher. If the error occurs there too, you can add SAP support.

Answers (2)

Answers (2)

robert_wagener
Explorer
‎12-19-2012 3:56 PM
0 Kudos

Hi,

Thanks for a great post.  We were also wondering if web dispatcher could be used as the front end webserver – thanks for clearing this up.

We are considering using Siteminder web agent and session linker to provide SSO for a new abap webdynpro. It appears that an as-java system is required since the SiteMinder solution uses a java login module.  Is it possible to use the Siteminder agent without an as-java system in the picture?

Thanks,

Rob

Show replies
Show replies
Former Member
‎12-19-2012 10:40 PM
0 Kudos

Find out if Siteminder has other integration options, for example SAML2 which newer ABAP backends understand just fine.

anja_engelhardt2
Active Contributor
‎07-11-2012 9:43 AM
0 Kudos

moved from portal forum to SAP Netweaver Application Server

Show replies
Show replies
Ask a Question