sap cod_techincal connectivity guide

On-Demand Solutions from SAP Document Version: 1.2 – 2012-04-29

CUSTOMER

Technical Connectivity Guide Authors: Jörg Nalik, Andreas Wildhagen

2 CUSTOMER © 2012 SAP AG. All rights reserved.

Technical Connectivity GuideTypographic Conventions

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .

Technical Connectivity Guide Document History

CUSTOMER Error! Reference source not found.© 2012 SAP AG. All rights reserved. 3

Document History

Before you start working with this document, make sure you have the latest version. You can find the latest version on the Business Center for On-Demand Solutions from SAP.

For questions and feedback, please contact the authors:

[email protected] or [email protected].

Version Date Change

1.0 2012-01-30 Initial version

1.1 2012-02-29 Copy-edited version; no content changes – final draft version

1.2 2012-06-29 New template applied; released for CUSTOMER; no content changes

mailto:[email protected]

mailto:[email protected]


Technical Connectivity GuideTable of Contents

Table of Contents

1 Introduction ..............................................................................................................................................6

2 Connectivity Architecture ....................................................................................................................... 8

3 Network Services Requirements .............................................................................................................9

4 Reference Landscape ............................................................................................................................. 13 4.1 Reference Scenario ............................................................................................................................................... 14 4.2 Secure Communication Using SSL ...................................................................................................................... 14

4.2.1 SAP Web AS Consumes SAP Cloud Service....................................................................................... 16 4.2.2 SAP Cloud Consumes SAP Web AS Service....................................................................................... 17

4.3 Landscape Variations (Examples) ....................................................................................................................... 19 4.3.1 High Security Landscape...................................................................................................................... 19 4.3.2 Alternative Landscape ..........................................................................................................................20

5 Procedure Model .................................................................................................................................... 21 5.1 Preparation ............................................................................................................................................................ 21 5.2 Install Web Dispatcher and Crypto Libraries ...................................................................................................... 21 5.3 Enable SSL on SAP Web AS and SAP Web Dispatcher ...................................................................................... 22

5.3.1 Import Certificates in SAP Web AS ABAP Trust Manager ................................................................ 22 5.3.2 Create Self-Signed SSL Server Certificate on SAP Web AS ............................................................. 24 5.3.3 Create CA-Signed SSL Server Certificate on SAP Web Dispatcher ................................................. 27 5.3.4 Import SAP Web AS Server Certificate into SAP Web Dispatcher’s Trust Manager ...................... 27 5.3.5 Import SAP Web Dispatcher’s Client Certificate into SAP Web AS ABAP Trust

Manager ................................................................................................................................................. 28 5.4 Configure Network Components ......................................................................................................................... 28

5.4.1 Configure Firewall Settings .................................................................................................................. 28 5.4.2 Configure URL Filter and Rewrite Rules on SAP Web Dispatcher .................................................... 29 5.4.3 Client Certificate Handling with SAP Web Dispatcher ....................................................................... 32 5.4.4 Example SAP Web Dispatcher Configurations ................................................................................... 32 5.4.5 Configure Settings on Additional Connectivity Components ........................................................... 33

5.5 Define Certificate to User Mapping in SAP Web AS ........................................................................................... 33 5.5.1 Preparation ............................................................................................................................................ 33 5.5.2 Define Mapping ..................................................................................................................................... 33

5.6 Perform Connectivity Tests .................................................................................................................................. 34 5.7 Selected Application Integration Topics ............................................................................................................. 35

5.7.1 Verify SSL Support on SAP Web AS and SAP Web Dispatcher ........................................................ 35 5.7.2 SAP Web Dispatcher Performance Tuning ......................................................................................... 35 5.7.3 Configure SSL on HTTP Destinations Using SM59 ............................................................................ 35 5.7.4 Configure SSL for IDOC over SOAP .................................................................................................... 36 5.7.5 Signing Certificate Requests using SAP Trust Service...................................................................... 36 5.7.6 Configure SSL using SOA Manager ..................................................................................................... 38

Technical Connectivity Guide Table of Contents

CUSTOMER Error! Reference source not found.© 2012 SAP AG. All rights reserved. 5

6 SAP Supported Certification Authorities ............................................................................................ 40 6.1 Valid Trusted CAs ................................................................................................................................................. 40 6.2 Valid CAs for Signing Server Certificates ........................................................................................................... 40 6.3 Valid CAs for Signing Client Certificates .............................................................................................................. 41

7 Further Reading .................................................................................................................................... 43 7.1 Guidelines .............................................................................................................................................................. 43 7.2 Product Documentation ....................................................................................................................................... 43 7.3 SAP Developer Network ....................................................................................................................................... 44 7.4 SAP Press Books................................................................................................................................................... 44 7.5 SAP Notes .............................................................................................................................................................. 44


Technical Connectivity GuideIntroduction

1 Introduction

This document gives an overview of technical connectivity for SAP on-demand (OD) applications that are integrated with existing customer SAP on-premise (OP) products, such as SAP ERP.

Caution This document recommends how to set up the technical connectivity for SAP on-demand (OD) applications that are integrated with existing customer SAP on-premise (OP) products, such as SAP ERP.

SAP is not liable for any consequences or damages resulting from the use of this document.

The following are examples of these “hybrid landscape solutions”:

SAP Sales OnDemand with SAP ERP or SAP CRM integration

SAP Travel OnDemand with SAP ERP and/or SAP HCM integration

SAP Business ByDesign for Large Enterprise Subsidiaries

In contrast to application integration within one data center, the integration of application components in hybrid landscapes requires the penetration of network security perimeters of the customer data center and the cloud environment, connectivity via wide area networks (WAN) of the internet (as opposed to just LAN - local area network - connectivity) and network traffic encryption for security.

In this document, we describe the following:

The minimal list of required network services for supporting hybrid-landscape-based applications

Further network services which can be considered for additional reliability and security

An application/network reference architecture

A concrete implementation example with detailed configuration guide based on the SAP Web Dispatcher.

Target Group

This document is intended for project managers and network and security experts, as well as SAP technology experts working on integrating an SAP Cloud product with the customer’s on-premise SAP application landscape.

We recommend that SAP application project teams use this document to clearly communicate with customer network and security IT groups in order to coordinate the necessary work.

Scope

The focus is on applications built on the SAP Business ByDesign platform delivered to customers. From the product portfolio, it is intended for SAP Sales OnDemand, SAP Travel OnDemand, SAP Business ByDesign in Subsidiaries – and applications with similar characteristics.

This document does not cover the following issues:

End-user - meaning browser and mobile - technical connectivity with SAP Cloud.

Single sign-on and identity management.

Technical Connectivity Guide Introduction

CUSTOMER© 2012 SAP AG. All rights reserved. 7

Implications of data privacy laws in the various countries where you operate.

Assumptions and Prerequisites

You plan to integrate an SAP Business Suite system, such as SAP ERP, with an SAP Cloud Solution.

You have access to SAP Service Marketplace; that is, you have S-user access to SAP Service Marketplace.

You have access - that is, you have licenses - for the download of SAP NetWeaver technology components from the SAP Software Download Center.

You know experts who can configure SAP systems on operating system and SAP Basis level.

Your company security policy allows for communication between your on-premise SAP systems and SAP Cloud environment over the internet.

You have the means to obtain public IP addresses and Domain Name Service entries visible on the public Internet.


Technical Connectivity GuideConnectivity Architecture

2 Connectivity Architecture

Your network infrastructure is extremely important for reliable integration of your application components and services, and to ensure that they are fully secured and perform well. Reliability is needed for uninterrupted availability of your application. Security is needed to protect your confidential business data. Good performance is needed to save costs and to satisfy end users with a good usage experience. Security can be further broken down into the areas of data access, data transport, and data storage. While security of data storage is taken care of through backup and similar measures on the application side, data access and transport security is a service of your network infrastructure.

A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise machines and gain access to the SAP System database or files. Additionally, if users are not able to connect to the server LAN, they cannot exploit well-known bugs and security holes in operating systems on the server machines.

Again, your strategy and your priorities are the most important factor in deciding what level of security is necessary for your network infrastructure. We offer general recommendations when establishing your network topology, which include using a firewall and other intermediary devices - such as the SAP Web Dispatcher and the SAProuter - to protect your local network. To protect SAP system communications at the transport layer, the SAP NetWeaver products support the use of the Secure Sockets Layer (SSL) protocol and Secure Network Communications (SNC).

Note

Depending on your current situation, you may want to modify the described secure network setup to fit your needs. We offer such suggestions and recommendations at various security levels. If the plan described here does not fit your needs, contact our consultants, who are also available to assist you in setting up your network securely.

For more information, see also the SAP NetWeaver Network Security Guide:

On SAP Service Marketplace at: https://service.sap.com/security

On the SAP Help Portal, for example, for SAP NetWeaver 7.3 EHP1 at: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/0a/0a2e00ef6211d3a6510000e835363f/content.htm

https://service.sap.com/security

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/0a/0a2e00ef6211d3a6510000e835363f/content.htm

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/0a/0a2e00ef6211d3a6510000e835363f/content.htm

Technical Connectivity Guide Network Services Requirements


3 Network Services Requirements

Technical networks are essential complements to your business applications, and the reason why most big companies have a dedicated IT network group. Networks are typically described as OSI Layer 1 through 7 architectures, starting with cabling, switching, and routing as layers 1 through 3, which we are not covering in this document. It is essential that you work with your network group to arrange proper network connectivity within your data center and to your company’s Internet Service Provider (ISP).

Many companies also have a dedicated IT security group that governs security as a whole across different technology layers like application, storage, networks, and more. Ultimately, when you connect your on-premise systems to on-demand systems, the triumvirate of application, network, and security groups in your organization need to collaborate and be involved.

Looking beyond OSI Layer 1-3 network basics, your company’s network should provide network services, which support reliability, security, and good performance for your productive application operation. There is a wide range of such network services - considered part of the OSI Layers 4 through 7 – available, examples of which you can see in the table below:

This document focuses on the essential network services requirements. These services are mostly related to the security of your business data and business application operation. Typically, your data center is a well-guarded physical environment where your OP SAP applications are placed in an inner security zone. The Local Area Network (LAN) of that zone has to be strictly separated from the public internet, which is achieved using a “demilitarized” (DMZ) network zone at the “edge” of your data center to outside public networks.

NC-1: No direct network connection from public networks to OP SAP applications shall be allowed.

This recommendation gives rise to the need for network services inside the DMZ, which terminate network connections from the inner and the outer networks.

For the outbound traffic of your data center, the term “proxy” is commonly used for such network services. The inbound traffic is guarded by “reverse proxies”. The inner security zone, the DMZ, and public networks are separated by firewalls which act as filters of network traffic and allow only the desired traffic to pass. Firewalls and proxies together provide the necessary access control to OP application data from the outside, as well as send control of OP application data exposed to the outside.

Firewalls typically work as in-line devices which filter out undesired network traffic without terminating network connections. Proxies do terminate connections, which allows them to hide the inner network topology of your data center from the outside world. Proxies and reverse proxies often provide higher level traffic-filtering functions, and


Technical Connectivity GuideNetwork Services Requirements

they can transform the network traffic content: for example, they can decrypt secure traffic into clear text traffic. This is their most common use, and it is described in more detail in the following sections.

The minimal overall network topology is shown in the figure below. (Note: we use the term “proxy” as an umbrella term for both proxy and reverse proxy.)

PublicInternet

System of Record

On PREMISE

SAP Applications

Firewall FirewallProxy

DMZ

On DEMAND

The OnPremise side and the OnDemand side are like two fortresses, one operated by your company and the other by SAP. While both ends are secure, the public internet in between them is not. Your business data sent between both locations needs to be confidential. This leads to the following simple, but strongly recommended, guideline:

NC-2: All business application network traffic transmitted via Wide Area Networks shall be encrypted.

The following sections describe in more detail how application traffic can be encrypted by either the application server or the (reverse) proxies, or both.

A common way to make it difficult to break into your inner network is to hide the inner security zone topology from the outer world – a bit like lowering the blinds on your windows so that nobody can look inside your house. Network topology is made up of IP addresses, server hostnames, network ports, and more. The main purpose of a reverse proxy is to expose only a defined set of public URLs of your company to the outside world - like https://mycompany.com:443/serviceX - and to then route incoming https requests to the application server, which provides services. Therefore, the reverse proxy has to perform URL transformations between public URLs and the URLs used in the inner security zone of your data center.

Note These URL translations should also be performed on the outgoing responses, otherwise the outside On Demand application could not use address references in a response and secondly, information about your inner security zone network technology might be accidentally sent to the outside world.

A proxy has a similar function as a reverse proxy, just that in this case the OP application is the one sending a request to a public URL on the On Demand side. The URL transformation task - often also referred to as URL rewriting - is analog to the reverse proxy case. In summary:

NC-3: Inner network security zone topologies - in particular IP addresses and host names of the application servers - should be kept confidential and hidden from the outside world and even trusted business partners, represented by the On Demand side, through the use of proxies and reverse proxies which perform TCP/IP protocol level connection termination and URL translations.

After covering security considerations, you should also consider the reliability of your overall business application solution. When implementing proxy and reverse proxy solutions you should be aware that if they break, connectivity will be disrupted, which would mean an important part of your business application would experience downtime, even if the application servers were working perfectly. Therefore, it is important to consider high availability (HA) deployment of your proxy solutions, and you should implement enough computing capacity for the proxies for your expected workload.

For an example of an HA setup and capacity sizing of the SAP Web Dispatcher that can be used as reverse proxy, see the following document: https://service.sap.com/~sapdownload/011000358700001869252005E/SAPWebDispatcher.pdf

https://mycompany.com/serviceX

https://service.sap.com/~sapdownload/011000358700001869252005E/SAPWebDispatcher.pdf

Technical Connectivity Guide Network Services Requirements


NC-4: Consider high availability deployments and appropriated computing capacity sizing of your proxy and reverse proxy solutions.

The third requirement category to check is performance. Http request response times over WANs are, in most cases, significantly longer than in local area networks, due to bandwidth, latency, and packet loss constraints of the WAN.

For more information, see Testing Secure Enterprise SOA Applications Across Wide Area Networks without Leaving the Lab in the SAP Developer NetWork at: http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00aa0f0b-3c4d-2a10-5593-a57beda851c0 This document also describes how you can perform combined application/network tests. A second impact on performance is that security and reliability services cause extra processing demands compared to a LAN connection. Both performance impacts can be mitigated to some extent through proper performance tuning of your proxy and reverse proxy implementation.

A major factor for increased WAN response times is the need to undergo handshake processing when connections on TCP/IP level and for establishing SSL sessions are performed. The frequency with which some handshakes are needed can be lowered by using the http 1.1 through proxy standard. All network and application services following that standard allow configuration of a connection timeout parameter, which is often named keep-alive. Choosing a higher keep-alive value - maybe 60 seconds or more - lowers the frequency of opening new connections and improves overall average response times.

NC-5: All network and application services should support the http 1.1 through proxy standard and the connection timeout configuration parameter should be tuned for improving average response times.

On the computing resource side, it should be noted that proxies and reverse proxies often offload network protocol-related processing from the application servers. Even if that offloading may only be a few percent of the overall application processing, it might be worthwhile doing in large application environments, because application server TCO is usually much higher than network services TCO. The prime example for offloading would be to terminate an SSL session at the proxy/reverse proxy, and to use a clear text connection between them and the OP application server. However, such performance optimization is only possible if it does not conflict with the security rules of your company, which, for instance, might require end-to-end traffic encryption. Other process offloading capabilities are known, but their availability depends on the network service products you’d like to use.

This concludes the minimal requirement section. In addition, there is a larger range of network services known which can further improve the reliability, security, and performance of your OP-OD integration.

A more general class of network services products is referred to as Application Deliver Controllers (ADC). ADCs typically include proxy and reverse proxy capabilities but they offer also other services, most prominently to mention load balancing. Load balancing of inbound traffic to application servers is essential for enabling HA and scale out deployments of application servers themselves. As a side effect, Load Balancers also function almost as reverse proxies, which means that both functions can be deployed as one product instance. A good example of such an ADC solution is the SAP Web Dispatcher product. In addition, load balancing to the outbound traffic side is possible, for instance if your company maintains multiple connections to the internet from different internet service providers. This way a more reliable internet access can be achieved.

The list of further additional ADC services is long. Here are some examples:

Defense against distributed denial of service attacks (DDoS attacks)

Blacklist/whitelist URL filtering

Traffic content and rule-based security filters

Further TCP/IP protocol optimization and offloading capabilities in addition to the ones described above

Bandwidth management capabilities for prioritizing your application traffic (maybe over YouTube traffic)

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00aa0f0b-3c4d-2a10-5593-a57beda851c0


Technical Connectivity GuideNetwork Services Requirements

Different network vendors bundle different capabilities into their ADC products. SAP maintains partnering relations with most industry-leading network vendors, and have certified some of their products as shown in the following figure:

You find an up-to-date list of SAP certified network products at: http://www.sap.com/ecosystem/customers/directories/searchpartner.epx.

You may search for SAP-defined integration scenarios: ESOA-AW-PO, ESOA-AW-RA and ESOA-AW-SEC to find certified solutions for the areas reliability (RA), security (SEC), and performance (PO), or you might search by your preferred network vendor company name.

Many network products are also listed on the SAP Ecohub at http://ecohub.sap.com.

The following document provides generic information about network products of some vendors: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7447

http://www.sap.com/ecosystem/customers/directories/searchpartner.epx

http://ecohub.sap.com/

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7447

Technical Connectivity Guide Reference Landscape


4 Reference Landscape

Note For the sake of simplicity, the reference landscape used in this document uses few network zones. Depending on the complexity and security requirements of your own landscape, you may need to use additional zones, and add or replace components.

The following figure depicts the reference landscape for SAP on-demand / on premise technical connectivity based on HTTPS and secure proxy / reverse proxy components.

Transp. HTTP(S)

Proxy

SAP Web AS

Fire

wal

l

SAP Web Dispatcher

Fire

wal

l

Fire

wal

l Application Delivery

Controller Fire

wal

l

SAP OnDemand R R R R R R

R RR

R R R

High Security Area DMZ

Internet SAP OnDemand LandscapeCustomer Landscape

HTTP(S)HTTP(S)

1 2

3

4 5 6 7 83'

HTTPS

The diagram contains the following elements in the customer landscape:

(1) SAP Web Application Server. For on demand / on premise communication, the SAP Web Application Server can act as the client calling the SAP OnDemand environment, or it can act as the server where SAP OnDemand environment invokes the SAP Web AS in the customer landscape.

(2) A firewall separates the high security area with the SAP Web Application Server, Database Management System, and so on, from the demilitarized zone (DMZ).

(3) SAP Web Dispatcher acts as HTTP / HTTPS reverse proxy for calls from external the customer landscape to (1).

(3’) A transparent HTTP(S) proxy forwards communication from SAP Web AS (1) to locations external to the customer landscape.

(4) A firewall separates the public internet from the customer DMZ.

The above diagram shows a schematic topology of SAP Cloud Solutions in the SAP OnDemand Landscape:

(5) A firewall separates the public internet from the SAP OnDemand Landscape (“SAP Cloud”).

(6) An application delivery controller provides proxy / reverse proxy and additional security capabilities.

(7) A firewall separates the DMZ from the high security zone in the SAP OnDemand landscape.

(8) SAP OnDemand application services are operated in high security network zones.


Technical Connectivity GuideReference Landscape

4.1 Reference Scenario

In the fictitious reference scenario, SAP Web AS (1) provides a service over HTTPS, such as an IDOC over SOAP (inbound) endpoint or a Web Service. This service is consumed by SAP OnDemand (8).

SAP OnDemand (8) exposes a service over HTTPS, for example, an IDOC over SOAP or Web Service end point.

SAP Web AS

SAP Web AS (1) resides in the high security network zone. Let the internal host name be mysapwebas.secure.mycompany.corp. This host has neither a public IP address nor a public DNS entry.

By default, SAP Web AS inbound port is 443$$ where $$ represents the systems “instance ID”.

The instance ID of the system in the reference landscape is 00. Web AS (1) in the reference landscape uses default NetWeaver SSL port 44300.

A SAP Web AS instance (8) with host name webapi.mycompany.com processes HTTPS requests from SAP Cloud (8). This host shall process incoming IDOC messages in client 311 using the IDOC / SOAP channel.

The default URL for this service then is https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.

We hide internal implementation details such as SAP Web AS (8) host name, service path etc. for communication from the public Internet. Instead, we use a “descriptive URL” for this service:

https://webapi.mycompany.com:443/sapcloudapi/idoc

SAP Cloud

Our reference scenario implements a distributed business scenario with process integration between SAP Web AS (1) and SAP Cloud (8). SAP Cloud (8) exposes an “IDOC over SOAP” inbound end-point. SAP WeB AS (1) sends IDOCs over SOAP to this end point. In the perspective of SAP Cloud (8) this is an inbound communication.

SAP Cloud (8) exposes the service end point URL https://my12345.solution.ondemand.com/api/mywebservice.

Note

In practice, an integration scenario will be based on several interfaces. For brevity and simplicity, we stick to these two communication links – that is, SAP Web AS (1) consumes a service in the SAP Cloud (8) and SAP Cloud (8) consumes a service in SAP Web AS (1).

The reference scenario uses communication based on HTTPS using X.509 client certificates.

4.2 Secure Communication Using SSL

Communication over the public internet must be encrypted to protect data against eavesdropping and manipulation.

The communication between SAP OnDemand and SAP Web AS shall be protected using Secure Socket Layer (SSL).

https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311

https://webapi.mycompany.com/sapcloudapi/idoc

https://my12345.solution.ondemand.com/api/mywebservice



Transp. HTTP(S)

Proxy

SAP Web AS

Fire

wal

lSAP Web Dispatcher

Fire

wal

l

Fire

wal


Controller Fire

wal

l

SAP OnDemand R R R R R

R RR

R R R



SSL1SSL2

1 2

3

4 5 6 7 83'

RR

R

R

SSL3

For calls from SAP Web AS (1) to SAP OnDemand (8), end-to-end SSL shall be used. A transparent HTTP(S) proxy (3) passes the requests without terminating SSL.

For calls from SAP OnDemand (8) to SAP Web AS (1), SSL shall be used. SAP OnDemand (8) connects to SAP Web Dispatcher (3) using SSL. SAP Web Dispatcher (3) terminates SSL.

SAP Web Dispatcher (3) verifies client certificates, performs request filtering, URL rewriting, and load balancing. SAP Web Dispatcher should use SSL to connect to SAP Web AS (1) here marked as SSL2.

SAP Web Dispatcher (3) adds information contained in the X.509 client certificate to HTTP headers to enable user X.509 to mapping in (8). For more information about this feature, see section X.509-Based Logon to NW AS from SAP Web Dispatcher in the SAP NetWeaver 7.0 Library at:

http://help.sap.com/saphelp_nw70/helpdata/en/76/6d4fa247d0d647b5bd40745400d873/frameset.htm

Note

The use of encryption on link SSL1 is paramount. The communication between SAP Web Dispatcher (3) and SAP Web AS (1) typically resides inside customer premises and networks. Some customers may choose performance over security and choose not to encrypt data on link SSL2. For security reasons, you should use SSL for SSL2 also.

This is option 4 described in SAP Web Dispatcher documentation on help.sap.com in section SAP Web Dispatcher and SSL:

http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm

also






Image source: help.sap.com

Note You must use SSL for any communication over public networks.

In test environments, you should at least use anonymous SSL with basic authentication.

In production environments, you should use SSL with X.509 client certificate-based authentication on SSL1, SSL2 and SSL3.

You find an overview of SAP Web AS (1) and SSL in section Using the Secure Sockets Layer Protocol with the AS ABAP in the SAP NetWeaver 7.0 Library at:

http://help.sap.com/saphelp_nw70/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm

You find an overview of how to enable SAP Web Dispatcher for SSL support in section “Configuring the SAP Web Dispatcher to Support SSL” in the SAP NetWeaver 7.0 Library at:

http://help.sap.com/saphelp_nw70/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm

4.2.1 SAP Web AS Consumes SAP Cloud Service

Transp. HTTP(S)

Proxy

SAP Web AS

Fire

wal

l

Fire

wal

l

Fire

wal


Controller Fire

wal

l


R



1 2 4 5 6 7 83'

R

R

SSL3

proxy.mycompany.corp:8080https://

my12345.solution.ondemand.com:443






Communication from SAP Web AS (1) to SAP OnDemand (8)

SAP OnDemand (8) exposes a resource https://my12345.solution.ondemand.com/api/mywebservice

The communication from SAP Web AS (1) is mediated through a transparent HTTP(S) proxy (3’) with the proxy address proxy.mycompany.corp:8080. A transparent proxy does not terminate SSL.

SAP Web AS (1) acts as SSL client for SAP Cloud (8); hence SAP Web AS (1) must establish a trust relationship with SAP Cloud (8). For this, you need to import the root certificate of the Certificate Authority (CA) that has singed the SSL Server Certificate of SAP Cloud (8) into the used SSL Client PSE used for communication. See also section 6.1.

For HTTP(S) communication from SAP Web AS (1) to SAP Cloud (8) we use proxy address in SOA Manager or SM59 HTTP destinations to proxy.mycompany.corp:8080.

Note

Productive environments should increase security by using X.509 client certificates.

4.2.2 SAP Cloud Consumes SAP Web AS Service

SAP Web AS

Fire

wal

l

SAP Web Dispatcher

Fire

wal

l

Fire

wal


Controller Fire

wal

l

SAP OnDemand

R RR

R R R



SSL1SSL2

1 2

3

4 5 6 7 8

RR

R webapi.mycompany.com:443

mysapwebas.secure.mycompany.corp:44300

Communication from SAP Cloud to SAP Web AS (1)

Let SAP Web AS (1) have a host name mysapwebas.secure.mycompany.corp. As there is no direct access from locations outside the external to SAP Web AS (1), SAP Web AS (1) does not have a public DNS address or a public IP address.

Let SAP Web AS (1) expose a web resource under the internal URL

https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.

Note For a SAP instance with ID 00, the SAP default port is 44300 rather than well-known port 443.

For accessing this resource from the SAP Cloud, use the following public resource (visible from SAP Cloud):







Note SAP Cloud only supports HTTPS over port 443. Verify deviating requirements.

SAP Web Dispatcher (3) acts as Reverse Proxy for SAP Web AS (1)

Calls from SAP Cloud to (1) use the following URL:

https://webapi.mycompany.com:443/sapcloudapi/idoc.

Provide a public DNS (Domain Name Service) entry for host name webapi.mycompany.com pointing to the public IP address of SAP Web Dispatcher (3).

SAP Web Dispatcher (3) terminates SSL. Therefore, SAP Web Dispatcher (3) needs an SSL Server Certificate for the host name webapi.mycompany.com.

The SSL Server Certificate of SAP Web Dispatcher (3) for host name webapi.mycompany.com must have been signed by a Certification Authority (CA) to which SAP Cloud has declared a trust relationship.

SAP Web Dispatcher (3) establishes a separate SSL connection SSL2 to SAP Web AS (1) where SAP Web Dispatcher (3) acts as SSL client and SAP Web AS (1) acts as SSL server. SAP Web Dispatcher (3) must have a trust relationship to the SSL Server Certificate maintained in SAP Web AS (1).

SAP Web Dispatcher rewrites the URL and forwards the HTTP call to the URL: https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311 – secured using SSL.

To act as SSL server, SAP Web AS ABAP (1) also needs an SSL Server Certificate. In a simple configuration, SAP Web AS (1) has a self-signed SSL server certificate and SAP Web Dispatcher (3) has a declared trust relationship to SAP Web AS (1) by importing SAP Web AS (1) server certificate’s public key in its trust manager.

To use SSL with client-certificate-based authentication in SAP Web Dispatcher (3), configure SAP Web AS (3) to enable or enforce client certificates by maintaining profile parameter icm/HTTPS/verify_client on SAP Web Dispatcher. By default, client certificates are enabled but not enforced.

For more information, see section icm/HTTPS/verify_client in the SAP NetWeaver 7.0 Library at: http://help.sap.com/saphelp_nw70/helpdata/en/0d/88153a1a5b4c2de10000000a114084/content.htm

The SAP Cloud client certificates used for this communication can be exported from SAP Cloud (8). The client certificates need to be signed by a trusted certification authority. Import the respective CAs root certificate (for all CAs in the certificate chain) in Web Dispatcher’s the SSL Server Standard PSE so that Web Dispatcher (3) can verify the validity of client certificate.

For example: SAP Business ByDesign uses client certificates issued by SAP Trust Community (see section 5.5 Define Certificate to User Mapping in SAP Web AS for an example).

Note If you do not terminate SSL on SAP Web Dispatcher (3) but on SAP Web AS (1), you need to perform the previous steps only on SAP Web AS (1).

You map the client certificate to a local user account in the respective client of the SAP System of SAP Web AS (1). For more information, see section 5.5 Define Certificate to User Mapping in SAP Web AS.

Firewall (4) must pass through calls from SAP Cloud to webapi.mycompany.com, that is, for HTTPS traffic originating from the proxy server(s) / application delivery controller (6) in the SAP Cloud. You should restrict communication by activating source IP filtering.

Note To enable Source IP filtering on firewall (4), request the source IP address range for the proxy servers of the data center(s) operating your SAP Cloud solution.



http://help.sap.com/saphelp_nw70/helpdata/en/0d/88153a1a5b4c2de10000000a114084/content.htm



SAP Web Dispatcher performs a URL filter and URL rewrite – so that only calls from SAP Cloud with the allowed URLs can pass.

SAP Web Dispatcher (3) rewrites


to


Configure firewall (2) to enable connections from SAP Web Dispatcher (3) to SAP Web AS (1) on port 44300 as SAP Web Dispatcher (3) to forward calls from

webdispatcher.dmz.mycompany.corp on port 443 to

mysapwebas.secure.mycompany.corp on port 44300.

4.3 Landscape Variations (Examples)

4.3.1 High Security Landscape

High Security Landscape using Zones, Firewalls and SAP Web Dispatcher for SAP System Load Balancing and additional Application Delivery Controller

The following example shows a landscape with additional zones and security components:

(3a) An additional firewall separates the inner DMZ and outer DMZ. SAP Web Dispatcher is moved into the inner DMZ.

(3b) An application delivery controller is intersected between the public Internet and SAP Web Dispatcher in the outer DMZ. The application delivery controller can offer advanced security capabilities, such as Denial of Service (DoS) detection.

For more information, see the SAP NetWeaver 7.0 NetWork Security Guide at:

http://help.sap.com/saphelp_nw70/helpdata/en/9d/44d7bc73ddce4f96f09de874350e78/frameset.htm



http://help.sap.com/saphelp_nw70/helpdata/en/9d/44d7bc73ddce4f96f09de874350e78/frameset.htm



4.3.2 Alternative Landscape

The following diagram shows a reduced landscape. If you compare it to the reference landscape shown above, the application delivery controller (3b) replaces SAP Web Dispatcher and acts as reverse proxy and (3’) acting as transparent HTTP(S) proxy.

For calls from SAP OnDemand (8) to SAP Web AS (1), the application delivery controller (3b) terminates SSL. The Application Delivery Controller can perform filtering, URL rewriting and content inspection.

For calls from SAP Web AS (1) to SAP OnDemand (8), the application delivery controller (3b) acts as transparent HTTP(S) proxy.

Fire

wal

l

Fire

wal

l

Fire

wal

l

Fire

wal

l

Technical Connectivity Guide Procedure Model


5 Procedure Model

5.1 Preparation

Obtain SAP Web Dispatcher from SAP Service Marketplace

Obtain SAP Crypto Libraries from SAP Service Marketplace

Download Root CA Certificate(s)

Define network topology

o Document / define in which network zones Web AS ABAP, SAP Web Dispatcher and other connectivity devices reside

o Define internal / external host names and URLs

o Derive URL filter and mapping rules

o Define IP filter rules

Request IP addresses, URLs and DNS entries

Request communication user(s) in the SAP System (1) used for communication from (8) to (1).

5.2 Install Web Dispatcher and Crypto Libraries

1. Install SAP Web Dispatcher on a machine in the defined network zone. In the reference landscape, this is the DMZ. In SAP Security Guide, it is the inner DMZ.

2. Configure SAP Web Dispatcher (3) to support SSL as described in the section Configuring the SAP Web AS for Supporting SSL in the SAP NetWeaver 7.3 Library at:

http://help.sap.com/saphelp_nw73/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm

For more information about how to configure SAP Web Dispatcher to terminate SSL and other options, see section Configuring the SAP Web Dispatcher to Support SSL in the SAP NetWeaver 7.3 Library at:

http://help.sap.com/saphelp_nw73/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm.

In our reference scenario, we terminate SSL on SAP Web Dispatcher. In the above section, this is described as option 4.

3. Configure SAP Web AS (1) to support SSL as described in section Using the Secure Sockets Layer Protocol with the AS ABAP in the SAP NetWeaver 7.3 Library at:


4. Configure URL filters and rewrite rules.

Note

For more information about the required SSL certificates, see the next section Enable SSL on SAP Web AS and SAP Web Dispatcher.





Technical Connectivity GuideProcedure Model

Note SAP Web Dispatcher needs an external DNS entry and IP address. SAP Cloud must be able to access SAP Web Dispatcher on standard HTTPS port 443.

SAP Web Dispatcher also needs access to the HTTPS port configured in SAP Web AS ABAP. By default, this is 443$$, where $$ represents the system’s instance ID (which can also be found in Web AS ABAP’s instance profile using transaction RZ10).

Note Make sure that you have installed and enabled SAP Crypto Libraries.

5.3 Enable SSL on SAP Web AS and SAP Web Dispatcher

In the reference landscape, SAP Web Dispatcher (3) terminates SSL for calls originating in SAP Cloud (8) directed to SAP Web AS (1).

For calls from SAP Web AS (1) to SAP Cloud (8), SAP Web AS ABAP (1) uses a transparent HTTP(S) proxy that does not terminate SSL.

SAP Web AS (1) needs to maintain trust relationship to a supported Root CA that has signed the SAP Cloud’s (8) SSL Server Certificate.

SAP Web Dispatcher (3) needs an SSL Server Certificate signed by one of the Certification Authorities to which SAP Cloud has maintained a trust relationship.

SAP Web AS ABAP (1) needs a self-signed SSL server certificate. Alternatively, a signed SSL server certificate can be used.

On SAP Web Dispatcher (3), you need to maintain a trust relationship to SAP Web AS ABAP (1).

5.3.1 Import Certificates in SAP Web AS ABAP Trust Manager

In a test landscape, you can use SSL with basic authentication (user name and password):

o On SAP Web AS (1), create a PSE for SSL Client (Anonymous).

o In this PSE import, the CA Root Certificate (see section 6.1 Valid Trusted CAs), for example, sureserver_ev_roots.cer that you have downloaded from https://secure.omniroot.com/support/sureserver/rootcert.cfm

In a productive environment, you should use SSL with client certificate authentication (to use certificate-based logon to the SAP cloud):

o Use an existing PSE (such as SSL Client Standard) or create a new one – for example, a dedicated PSE in SAP Web AS ABAP (1) for SAP Cloud: Use transaction SE16 to create a new entry in table STRUSTSSL.

The following screenshot shows a new entry with Identity SAPOD.

https://secure.omniroot.com/support/sureserver/rootcert.cfm



o On SAP Web AS (1), use transaction STRUST to create a PSE for SSL Client (SAP Cloud) or create or reuse the default PSE SSL Client (Standard).

Note A missing PSE is marked with a red cross. Use right-mouse-click > Create to create the PSE. To select and open a PSE, double click the PSE name in the trust manager’s navigation tree on the left-hand side.

The selected PSE is indicated in the Detail section’s group title. For example, in the screenshot below it is labeled as “SSL client SAPCloud …”

o Create a certificate request for this PSE.

o Use one of the supported Certification Authorities to sign the certificate request and obtain the certificate response in PCKS#7 Certificate Chain format in base 64 encoding. For more information, see section 6.3. Valid CAs for Signing Client Certificates.

o Import the certificate response into the same PSE.

o In this PSE, import the CA Root Certificate (see section 6.1 Valid Trusted CAs) - for example. sureserver_ev_roots.cer - that you have downloaded from https://secure.omniroot.com/support/sureserver/rootcert.cfm

o Make sure the right PSE is selected by verifying the detail section’s group title – in the screen shot below “SSL client SAPCloud…”

o In the group labeled “Certificate”, use the “import from file” function and import the CA’s root certificate file (*.cer, base64 encoded). Verify the certificate by checking Owner, Issuer, Validity.

o Then choose Add to Certificate List.

o Verify that the certificate shows up in the certificate list. In the screenshot below, “GTE CyberTrust …” and “Cybertrust SureServer…” have been imported to the certificate list.




o Save changes.

o Perform a soft reset of ICM to activate the changes. (SMICM > Administration > ICM > Soft Reset > Local).

5.3.2 Create Self-Signed SSL Server Certificate on SAP Web AS

On SAP Web AS (1), create a PSE for SSL Server (Standard) – resulting in a self-signed SSL Server Certificate. For the SAP Web AS Instance to be used for as SAP Web AS (1), derive the distinguished name for the certificate based on the host name, the system’s installation number, and your company name.

Note If you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.

The distinguished name on SAP Web AS (1) then would be CN=mysapwebas.secure.mycompany.corp, OU=I1234567890-SAP AG, OU=SAP Web AS, O=SAP Trust Community, C=DE.

The distinguished name on SAP Web Dispatcher (3) then would be CN= webapi.mycompany.com, OU=I0123456789-SAP AG, OU=SAP Web AS, O=SAP Trust Community, C=DE.



Note You need a CA-signed SSL Server Certificate if you terminate SSL on SAP Web AS, described as option 5 in section SAP Web Dispatcher and SSL in the SAP NetWeaver 7.0 Library at: http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm.

In this case, you must create an SSL Server Certificate for the external host name webapi.mycompany.com on SAP Web AS (1). The host name must correspond to the host name used in the URL in the SAP Cloud Solution.

To verify the certificate, proceed as follows:

1. Open the newly created PSE for SSL Server Standard.

2. Verify that its name is displayed in the detail section’s group title SSL server Standard.

3. Double click the output field next to label Owner.

4. The SSL Server Certificate details will be shown in the Certificate section.

5. In the Certificate section with the opened SSL Server Certificate, choose an export certificate and save the certificate to file using Base64 encoding as file “MyWebAsSSLServer.cer” or similar. Use file extension .cer and base64 encoding.





Note On Windows, you can display the certificate details by double clicking the *.cer file in the Explorer. You can use this to verify certificate details, like the host name, and that the certificate has been signed by a supported Root CA like SAPNetCA.

Screenshots: SSL Server Certificate signed by SAPNetCA.



5.3.3 Create CA-Signed SSL Server Certificate on SAP Web Dispatcher

Note For this task and the subsequent ones, follow procedure 5.3.2 for using the Trust Manager, or refer to Trust Manager and SAP Web Dispatcher online documentation for details.

Configure SAP Web Dispatcher (3) to Support SSL as described in section Configuring the SAP Web AS for Supporting SSL in the SAP NetWeaver 7.0 Library at: http://help.sap.com/saphelp_nw70/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm

Configure SAP Web AS (1) to Support SSL as described in section Configuring the SAP Web AS for Supporting SSL in the SAP NetWeaver 7.0 Library at: http://help.sap.com/saphelp_nw70/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm

Perform the following steps:

1. On SAP Web Dispatcher, create a PSE for SSL Server (Standard) – resulting in a self-signed SSL Server Certificate.

2. For the self-signed server certificate on SAP Web Dispatcher, create a certificate request.

3. To sign the certificate request and obtain the certificate response in PCKS#7 Certificate Chain format in base 64 encoding, use one of the supported Certification Authorities.

Note For an example of how you can sign SSL Server Certificates using SAP Trust Center, see section 5.7.5 Signing Certificate Requests using SAP Trust Service.

4. Import the certificate response into SAP Web Dispatcher (3)’s SSL Server (Standard) PSE.

5.3.4 Import SAP Web AS Server Certificate into SAP Web Dispatcher’s Trust Manager

Note

For online documentation, refer to the sources mentioned in section 5.3.3 Import SAP Web AS Server Certificate into SAP Web Dispatcher’s Trust Manager.


1. On SAP Web Dispatcher, create a PSE for SSL Client (Standard).

2. The result is a self-signed PSE.

3. Export this certificate to file in base 64 format.

4. Import the SSL Server Certificate from Web AS ABAP (1) into this PSE.







5.3.5 Import SAP Web Dispatcher’s Client Certificate into SAP Web AS ABAP Trust Manager

Note For online documentation, refer to sources mentioned in section 5.3.3 Import SAP Web AS Server Certificate into SAP Web Dispatcher’s Trust Manager.

On SAP Web AS ABAP, open the PSE for SSL Server (Standard) and import the client certificate from SAP Web Dispatcher (created in the previous step).

5.4 Configure Network Components

5.4.1 Configure Firewall Settings

For SSL-based communication between SAP Web AS (1) and SAP OnDemand (8), you have to configure how SSL will pass through specific ports and source / destination hosts.

Transp. HTTP(S)

Proxy

SAP Web AS

Fire

wal

l

SAP Web Dispatcher

Fire

wal

l

Fire

wal


Controller Fire

wal

l


R RR

R R R



SSL1SSL2

1 2

3

4 5 6 7 83'

RR

R

R

SSL3

Sample resource addresses:

(1) https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311

mysapwebas.secure.mycompany.corp:44300

(3) inbound: https://webapi.mycompany.com:443/sapcloudapi/idoc.

(3) internal hostname webdispatcher.dmz.mycompany.corp

(3’) proxy.mycompany.corp:8080

(8) https://my12345.solution.ondemand.com/api/mywebservice






Required Configuration

Configure firewall (2) to pass through HTTPS from the host (1) to the transparent HTTP(S) proxy (3’), that is, from the High Security Area, particularly host mysapwebas.secure.mycompany.corp to proxy.mycompany.corp:8080.

Configure firewall (4) to pass calls from transparent proxy (3’) proxy.mycompany.corp to my12345.solution.ondemand.com:443.

Configure proxy (4) to pass traffic from application delivery controller (6) (acting as proxy for (8)) to SAP Web Dispatcher (3). Provide a public DNS entry and IP address, in the example webapi.mycompany.com, for SAP Web Dispatcher (3).

If desired, configure source IP filtering in firewall (4) using the IP addresses of SAP Cloud Proxy Servers / Application Delivery Controllers (6).

Note If you want to configure source IP filtering, request the IP addresses of ADC (6) from SAP Managed Services.

Configure firewall (2) to pass traffic from SAP Web Dispatcher (3) webdispatcher.dmz.mycompany.corp to SAP Web AS (1) on port 44300.

5.4.2 Configure URL Filter and Rewrite Rules on SAP Web Dispatcher

There are several motivating factors in using the filtering and rewrite capabilities of SAP Web Dispatcher:

Increase security by restricting access from the public Internet to your ERP system.

Hide implementation details from external access: here, topology of the ERP landscape.

Keep external URLs stable even during landscape changes.

Note In our reference landscape, we use one Web Dispatcher as reverse proxy for a single SAP ABAP System. Different topologies require adaptation in the configuration.

According to the reference scenario above, we want to configure rewrite of external URL


to the internal URL


on SAP Web Dispatcher (3).

To leverage filtering and URL rewrite capabilities, as of release 7.10, the SAP Web Dispatcher includes a modification handler that you can configure for rewriting URLs.

With the parameter icm/HTTP/mod_<xx> you can configure modifications of HTTP Requests and define rules by which the SAP Web Dispatcher changes the HTTP request before it forwards it. This includes header field manipulation, URL rewrite, and other functions.

You can find a complete set of possible configurations, as well as a detailed description of how to configure rewriting URLs, in the SAP NetWeaver Library (for SAP NetWeaver Process Integration 7.1) at:





http://help.sap.com/saphelp_nwpi711/helpdata/en/4d/684daeecd446e7b5e9999496166e3f/frameset.htm

We define a web dispatcher profile based on the example of the SAP Web Dispatcher documentation in the SAPs NetWeaver Library (for SAP NetWeaver Process Integration 7.1):

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/957caf94cc73eae10000000a42189b/frameset.htm

We assume that the SAP system’s message server resides on the same host as SAP Web AS (1), that is mysapwebas.secure.mycompany.corp, and that the message server port is 8081. Verify your configuration.

By default, we enable SSL client certificates. Comment out the respective row to enforce client certificates.

#icm/HTTPS/verify_client = 2

Activate SSL on port 443 and terminate SSL on SAP Web Dispatcher.

icm/server_port_0 = PROT=HTTPS,PORT=443

If you want to use end-to-end SSL, comment the previous row and remove the comment from the following row:

#icm/server_port_0 = PROT=ROUTER,PORT=443

Also consider the sizing and performance impact of the alternatives. For more information, see section 5.7.2 Web Dispatcher Performance Tuning.

Activate a modification handler for request filtering and URL rewriting for URLs with path prefix /sapcloudapi:

icm/HTTP/mod_0 =PREFIX=/sapcloudapi FILE=sapcloud.action

For more information, see section icm/HTTP/mod_<xx> in the SAP NetWeaver Process Integration 7.1 Library at: http://help.sap.com/saphelp_nwpi711/helpdata/en/48/49c7403a79350ce10000000a42189d/frameset.htm

The adapted SAP Web Dispatcher profile file (for example, sapwebdisp.pfl)

# SAPSYSTEM must be set so that the shared memory areas

# can be created.

# The number must be different from the other SAP instances

# on the host.

SAPSYSTEM = 66

# Directory variables

DIR_EXECUTABLE = .

DIR_INSTANCE = .

# Message Server Description

rdisp/mshost = mysapwebas.secure.mycompany.corp

ms/http_port = 8081

# SAP Web Dispatcher Parameters

wdisp/auto_refresh = 120

wdisp/max_servers = 100

# enable client certificates

# default value is 1: enable client certificates

# to enforce use of client certificates set to 2

#icm/HTTPS/verify_client = 2

# Parameters for the HTTPS Routing

wdisp/HTTPS/dest_logon_group = HTTPS

wdisp/HTTPS/max_client_ip_entries = 100000

wdisp/HTTPS/sticky_mask = 255.255.255.0

http://help.sap.com/saphelp_nwpi711/helpdata/en/4d/684daeecd446e7b5e9999496166e3f/frameset.htm

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/957caf94cc73eae10000000a42189b/frameset.htm

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/49c7403a79350ce10000000a42189d/frameset.htm



# Description of the Access Points

# SSL Terminated on SAP Web AS ABAP:

icm/server_port_0 = PROT=HTTPS,PORT=443

# SSL Terminated on SAP Web Dispatcher (next two rows)

#icm/server_port_0 = PROT=ROUTER,PORT=443

#wdisp/ssl_encrypt_1

# Description of the Resources

iicm/min_threads = 20

icm/max_threads = 40

icm/max_conn = 500

# Communication Buffer

mpi/total_size_MB = 100

mpi/buffer_size = 65536

icm/HTTP/mod_0 =PREFIX=/sapcloudapi FILE=sapcloud.action

We create an action file sapcloud.action comprising filter and rewrite rules based on the example in the SAP NetWeaver 7.3 Library on Defining Modification Actions: http://help.sap.com/saphelp_nw73/helpdata/en/48/9266ffaa6b17cee10000000a421937/frameset.htm

For more information about the naming example and considerations about where to store the action file in case you want to apply the same set of rules on several hosts , see also section icm/HTTP/mod_<xx> in the SAP NetWeaver 7.3 Library at.

http://help.sap.com/saphelp_nw73/helpdata/en/48/49c7403a79350ce10000000a42189d/frameset.htm

We set a request filter: We forbid any requests not addressed to host name webapi.mycompany.com by

if %{HTTP_HOST} regimatch !webapi.mycompany.com

RegForbiddenUrl ^/(.*) –

We filter all requests that are neither GET nor POST

if %{REQUEST_METHOD} !stricmp "GET" [AND]

if %{REQUEST_METHOD} !stricmp "POST"

RegForbiddenUrl ^/(.*) -

We perform URL rewriting so that the external path name is mapped to the one configured in SAP Web AS (1) in ICF Configuration (SFICF). For the above host name webapi.mycompany.com, we want to pass the requests to client 311 of our SAP system. The external path /sapcloudapi/idoc shall be mapped to the path defined in ICF configuration (via transaction SFICF), here for the IDOC SOAP port /sap/bc/srt/IDoc?sap-client=311.

if %{HTTP_HOST} regimatch webapi.mycompany.com

# Map external URL for IDOC SOAP end point to internal URL

# default IDOC SOAP inbound: /sap/bc/srt/IDoc – verify in tx SICF / SRTIDOC

# Client with parameter ?sap-client=311

RegIRewriteUrl ^/sapcloudapi/idoc /sap/bc/srt/IDoc?sap-client=311$1

The complete action file sapcloud.action:

# Modification rules for WebDisp

# set WebDisp header

SetHeader clientProtocol %{SERVER_PROTOCOL}

SetHeader X-SAP-WEBDISP-AP %{SERVER_ACCESS_POINTS}

http://help.sap.com/saphelp_nw73/helpdata/en/48/9266ffaa6b17cee10000000a421937/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/48/49c7403a79350ce10000000a42189d/frameset.htm



# check for forbidden host names

# in this example action file only webapi.mycompany.com is allowed!

if %{HTTP_HOST} regimatch !webapi.mycompany.com

RegForbiddenUrl ^/(.*) –

# check for forbidden method

if %{REQUEST_METHOD} !stricmp "GET" [AND]

if %{REQUEST_METHOD} !stricmp "POST"

RegForbiddenUrl ^/(.*) -

# URL rewriting

if %{HTTP_HOST} regimatch webapi.mycompany.com

# Map external URL for IDOC SOAP end point to internal URL

# default IDOC SOAP inbound: /sap/bc/srt/IDoc – verify in tx SICF / SRTIDOC

# Client with parameter ?sap-client=311

RegIRewriteUrl ^/sapcloudapi/idoc /sap/bc/srt/IDoc?sap-client=311$1

See also SAP Web Dispatcher Help:

SAP Web Dispatcher:

http://help.sap.com/saphelp_nw73/helpdata/en/48/8fe37933114e6fe10000000a421937/frameset.htm

Modifications of HTTP Requests:

http://help.sap.com/saphelp_nw73/helpdata/en/48/9266acaa6b17cee10000000a421937/frameset.htm

Defining Modification Actions:


5.4.3 Client Certificate Handling with SAP Web Dispatcher

SAP Web Dispatcher supports mapping of the client certificate / X.509 identification to HTTP header fields.

While SAP Web Dispatcher (3) terminates SSL in the reference landscape, the client certificate can still be used for user mapping in SAP Web AS (1).

For more information, see section X.509-Based Logon to NW AS from SAP Web Dispatcher in the SAP NetWeaver 7.0 Library at:


5.4.4 Example SAP Web Dispatcher Configurations

For configuration examples, see section of Parameterization of the SAP Web Dispatcher in the SAP NetWeaver 7.3 Library at:

http://help.sap.com/saphelp_nw73/helpdata/en/de/89023c59698908e10000000a11402f/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/48/8fe37933114e6fe10000000a421937/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/48/9266acaa6b17cee10000000a421937/frameset.htm



http://help.sap.com/saphelp_nw73/helpdata/en/de/89023c59698908e10000000a11402f/frameset.htm



You need to incorporate the above configurations for SSL termination, request filtering, and URL rewriting to adapt the examples to your company-specific settings.

5.4.5 Configure Settings on Additional Connectivity Components

For supported application gateway configurations, see SAP Note 833960.

5.5 Define Certificate to User Mapping in SAP Web AS

5.5.1 Preparation

In SAP Cloud (8), you have configured a communication arrangement with authentication based on client certificates. Maintain the respective communication arrangement and verify that certificate- based authentication is used. Then download the certificate and save it to a file, for example under the name SAP Cloud Client Certificate.cer.

Example of a Client Certificate exported from SAP Travel OnDemand from an Outbound Communication Arrangement using Certificate Based Authentication and selection of the certificate for the “system key”.

5.5.2 Define Mapping


1. On SAP Web AS ABAP (1), use transaction SM30 to maintain view VUSREXTID.

2. Add a new entry for external ID type “DN” (distinguished name) representing user identification by X.509 client certificate.

https://service.sap.com/sap/support/notes/833960



3. Import the external ID from the certificate file (in the above example: SAP Cloud Client Certificate.cer) to set external ID with values from the certificate.

4. Maintain a minimum date (such as the current date) and maintain the user ID for the specified communication user.

Sequence number is typically 001 unless you have several entries for the same external ID.

The following screenshot shows the result of a newly created entry in the user mapping view VUSREXTID:

5.6 Perform Connectivity Tests

You can find information about how to perform connectivity tests in the SAP NetWeaver Library at:

Section Where to Find

Testing the SSL Configuration

http://help.sap.com/saphelp_nw73/helpdata/en/49/3d938a501a2009e10000000a42189c/frameset.htm

Testing the SSL Connection to the AS ABAP over the SAP Web Dispatcher

http://help.sap.com/saphelp_nw73/helpdata/en/49/4594d63a293b5be10000000a42189b/frameset.htm

Refer also to your solutions integration guide about how to perform specific connectivity and integration tests.

You can also verify that the external URL works. You will need logon information to verify the IDOC / SOAP port. You can enter the external and internal URLs in the browser. In our reference scenarios, they are:









You can verify the SSL Server Certificates in Internet Explorer by clicking the lock symbol next to the address field. Display certificate details and the certificate path.

For more information, see section 5.3.2. Create Self-Signed SSL Server Certificate on SAP Web AS.

5.7 Selected Application Integration Topics

5.7.1 Verify SSL Support on SAP Web AS and SAP Web Dispatcher

For information about the configuration of the SAP Web AS for supporting SSL, see the SAP NetWeaver 7.0 Library at:

http://help.sap.com/saphelp_nw70/helpdata/EN/65/6a563cef658a06e10000000a11405a/frameset.htm

For information about the configuration of the SAP Web Dispatcher to support SSL, see the SAP NetWeaver 7.0 Library at:


5.7.2 SAP Web Dispatcher Performance Tuning

You find information on configuration options relevant for SAP Web Dispatcher Performance Tuning in the following help.sap.com resources:

Server Selection and Load Balancing Using the SAP Web Dispatcher

http://help.sap.com/saphelp_nw70/helpdata/en/5f/7a343cd46acc68e10000000a114084/content.htm

Timeout Options for ICM and Web Dispatcher

http://help.sap.com/saphelp_nwpi71/helpdata/en/48/88b52977323cb8e10000000a42189d/content.htm

SAP Web Dispatch 7.1 Sizing Guide


You find general performance optimization information in SAP Press Book: SAP Performance Optimization. See section 7, SAP Press Books, for full reference.

5.7.3 Configure SSL on HTTP Destinations Using SM59

For information about how to specify that a connection should use SSL, see the SAP NetWeaver 7.0 library at:

http://help.sap.com/saphelp_nw70/helpdata/EN/5b/2e423c0bcc4a7ee10000000a114084/frameset.htm



http://help.sap.com/saphelp_nw70/helpdata/EN/65/6a563cef658a06e10000000a11405a/frameset.htm


http://help.sap.com/saphelp_nw70/helpdata/en/5f/7a343cd46acc68e10000000a114084/content.htm

http://help.sap.com/saphelp_nwpi71/helpdata/en/48/88b52977323cb8e10000000a42189d/content.htm


http://help.sap.com/saphelp_nw70/helpdata/EN/5b/2e423c0bcc4a7ee10000000a114084/frameset.htm



In particular, you must make sure that:

You check SSL protocol support

You choose the right PSE

o If you use base authentication (username and password), use SSL Client Anonymous – and verify in trust manager STRUST that you have imported the root certificates of the Certification Authority that has signed the SSL Server Certificate of SAP Cloud (8). See also section 6.1.

o If you use X.509 client certificate authentication on SAP Cloud, select the PSE that you have defined as described in second option in section 5.3.1.

5.7.4 Configure SSL for IDOC over SOAP

For IDOC based communication between SAP Business Suite and SAP Business ByDesign and SAP Business ByDesign based solutions, some communication is based on IDOC over SOAP. For this communication, an IDOC message is XML encoded, and then transferred between SAP Web AS ABAP and SAP Cloud using SOAP protocol.

The ALE configuration in SAP Web AS uses the same tools as IDOC communication using RFC protocol, specifically:

ALE Distribution Model (Transaction BD64)

Partner Profile (Transaction WE20)

Destinations (Transaction SM59)

Procedure Model

1. Set up SSL support (particularly PSEs) as described in the previous sections.

2. Configure ALE Distribution Model according to the Master Guide or Integration Guide of the respective solution.

3. When maintaining Maintain Partner Profiles for IDOC types, choose an HTTP destination with the desired PSE with basic or client certificate based authentication.

4. Select Content type Application/x-sap.idoc. The option Application/x-sap.idoc is only available if you have implemented SAP Note 1510812. Read this SAP Note for further information. (information valid at time of writing).

Note IDOC over SOAP has further implications with respect to package size and batch / immediate processing. For more information, see SAP Note 1510812.

5.7.5 Signing Certificate Requests using SAP Trust Service

You can have SSL Server Certificates signed by SAP Trust Service for a service fee.




For more information, see the SAP Trust Center Services in SAP Service Marketplace at: https://service.sap.com/tcs

For test purposes, you can have SSL Server Certificates signed for a validity period of 8 weeks.

1. Create a self-signed SSL Server Certificate in the Trust Manager or SAP Web Dispatcher. (Note: In the reference landscape, you only need a CA-signed SSL server certificate on SAP Web Dispatcher. You can also apply the same method for signing SSL Server Certificates on SAP Web AS if you do not want to use self-signed server certificates on SAP Web AS.

2. Create and export a certificate request from the trust manager.

3. Copy the certificate request including the ----BEGIN CERTIFICATE REQUEST ---- and ---- END CERTIFICATE REQUEST --- in the entry field “Enter data for public key” field shown below.

4. Choose PKCS#7 certificate chain.

5. Choose Continue.

6. Copy the certificate response and import the certificate response into the trust manager.

7. Save the PSE in the trust manager.

8. Perform a New Start or “Soft Reset” of the ICM. To reduce the impact on existing sessions, you should do this locally on the instance(s) used for communicating from SAP Cloud to SAP Web AS (1).

For more information on ICM administration, see the SAP NetWeaver 7.0 Library at: http://help.sap.com/saphelp_nw70/helpdata/en/86/ba813a19a2416de10000000a114084/frameset.htm

Note

As server and client certificates have a defined validity period, you need to plan renewal of the certificates in time. Invalid certificates cause failure of communication.

https://service.sap.com/tcs

http://help.sap.com/saphelp_nw70/helpdata/en/86/ba813a19a2416de10000000a114084/frameset.htm



5.7.6 Configure SSL using SOA Manager

The system consuming or providing web services configured using SOA Manager must have SSL enabled as described in previous sections.

Note Refer to the integration guide of your solution to find details on the “consumed web services” and “provided web services”. This section focuses on the technical connectivity aspects of this configuration and not on the integration scenario itself.

When SAP Web AS (1) consumes a web service, you need to configure a so called consumer proxy on SAP Web AS. This scenario is described on help.sap.com under “Configuring a Consumer Proxy” at:

http://help.sap.com/saphelp_nw73/helpdata/en/9e/c7a3591dc74a679bbc9716354e42af/frameset.htm

You will maintain a logical port. As of our reference landscape, you need to maintain the HTTP(S) proxy setting of the logical port to proxy.mycompany.corp:8080.

When SAP Web AS (1) exposes a web service that shall be consumed by SAP Cloud (8), you need to maintain a web service End Point using SOA Manager. This scenario is described on help.sap.com in section “Configuring a Service Provider” at http://help.sap.com/saphelp_nw73/helpdata/en/33/06820d9d174c2884576bd78ac5629d/frameset.htm

In our reference scenario, we use an internal URL:


In the case of web services maintained using SOA Manager, the end point URL looks different and we expose a separate, external URL:


Create an end point and specify SSL binding and authentication method, for example, X.509 certificate -based authentication.

To enable the desired external URL, maintain the transport settings as follows:

1. Define an alternative URL for messages.

The path that you set here overrides the path defined in the URL.

2. You need to specify an alternative path, for example, if the service is not local or if it is behind a firewall. Use the path of the external URL: /sapcloudapi/idoc

3. If the target web service can only be accessed through a proxy server, you can also specify some proxy information here. Use the external host name of SAP Web Dispatcher: webapi.mycompany.com

4. As a result, we have configured an end point with an external URL using SOA manager: https://webapi.mycompany.com:443/sapcloudapi/idoc.

Note

You may want to create an “internal end point” for verifying the method and for testing the service using a web service test tool, then remove the test end point and add a new one with the target configuration.

For more information, see the following sections about SOA Manager in the SAP NetWeaver 7.3 Library:

Section URL

Runtime Configuration with the SOA Manager

http://help.sap.com/saphelp_nw73/helpdata/en/46/a4863ea82152b8e10000000a155369/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/9e/c7a3591dc74a679bbc9716354e42af/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/33/06820d9d174c2884576bd78ac5629d/frameset.htm








Section URL

Configuring HTTPS at Transport Level with X.509 Certificate Authentication

http://help.sap.com/saphelp_nw73/helpdata/en/49/9bf6c9e05a526be10000000a42189c/frameset.htm

Configuring Service Providers and Consumers

http://help.sap.com/saphelp_nw73/helpdata/en/cf/9fb513ced74bbf82cac2231a358086/frameset.htm

Note Remember to define URL rewrite rules on SAP Web Dispatcher to enable mapping of external URL to internal URL. See also the example in reference scenario section 4.1.






Technical Connectivity GuideSAP Supported Certification Authorities

6 SAP Supported Certification Authorities

6.1 Valid Trusted CAs

For communicating from SAP Web AS (1) to SAP Cloud (8) you must maintain trust relationships to the following CAs by importing the CA’s root certificate into the SAP Web AS trust manager:

Cybertrust Sure Server Standard Validation CA

GTE Cyber Trust Global Root

You must import the certificates of the above-mentioned CAs into the SAP ERP system in transaction STRUST.

Depending on the authentication method, you must import these certificates into one of the following folders:

SSL Client (Anonymous) for authentication with username/password

SSL Client (Standard) for authentication with client certificate

You can get these certificates from Verizon certificate services at: https://secure.omniroot.com/support/sureserver/rootcert.cfm

6.2 Valid CAs for Signing Server Certificates

{TODO: Add SAP Trust Center to standard CAs! At least test certificates signed via https://service.sap.com/tcs were not supported by Travel OnDemand / ByDesign}

List of supported certification authorities for the SAP Business ByDesign tenant (ByDesign is SSL Client, SAP Web Dispatcher is SSL Server)

EntrustPersonalServerCA.cer

EntrustServerCA.cer

EquifaxIntermediate.cer

EquifaxSecureCA.cer

Go_Daddy_Class2.cer

Go_Daddy_Secure_Certification_Authority.cer

SAPNetCA.cer

SAPPassportCA.cer

TC_Trustcenter_Class1_L1_CA.cer

TC_TrustCenter_Class_1_CA.cer

TC_TrustCenter_Class_1_L1_CA_VII.cer

TC_TrustCenter_Class_2_CA_II.cer

TC_TrustCenter_Class_2_L1_CA_XI.cer

TCTrustcenterClass2.cer

TelekomOnlinePass.cer

Thawte_ServerBasic.cer


https://service.sap.com/tcs

Technical Connectivity Guide SAP Supported Certification Authorities


Thawte Premium Server CA Root

Thawte Primary Intermediate CA

Thawte Secondary Intermediate CA

Verisign_Class3_Intermediate.cer

VeriSignClass3_Secure_server.cer

VeriSignClass1_G1.cer


VeriSignClass1_G3_b64.cer









VeriSignClass3_SecureServer_CA_G2.cer

6.3 Valid CAs for Signing Client Certificates

List of supported certification authorities for the reverse proxy in the on-demand network (only relevant for client certificates)

Entrust.net Client Certification Authority

Entrust.net Secure Server Certification Authority

SAP Passport CA

Server CA

Deutsche Telekom Root CA 1

Thawte Server

VeriSign Class 1 Public Primary Certification Authority - G3




Go Daddy Secure Certification Authority

TC TrustCenter SSL CA I

CompuTop GmbH

Entrust.net Certification Authority (2048)

Entrust Certification Authority - L1B

TC TrustCenter Class 1 L1 CA VI

VeriSign Class 3 Secure Server CA


Technical Connectivity GuideSAP Supported Certification Authorities

TC TrustCenter Class 1 L1 CA VII

Thawte Premium Server

TC TrustCenter Class 2 L1 CA XI

TC TrustCenter Class 2 CA II

Technical Connectivity Guide Further Reading


7 Further Reading

7.1 Guidelines

Documentation Where to Find?

SAP Security Guides http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000401180&

See SAP NetWeaver Security Guides (Complete) or SAP NetWeaver 7.3 Security Guide on the Help Portal:

http://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm

SAP NetWeaver 7.3: Network and Communication Security:

http://help.sap.com/saphelp_nw73/helpdata/en/fe/a7b5386f64b555e10000009b38f8cf/frameset.htm

SAP Web Dispatch 7.1 Sizing Guide


SAP Security Guideline Overview: Best-Built Applications, chapter 9 “Security”:

http://bestbuiltapps.sap.com

or

http://wiki.sdn.sap.com/wiki/display/BBA/Chapter+9.+Security+Guidelines+for+Best-Built+Applications

7.2 Product Documentation


X.509-Based Logon to NW AS from SAP Web Dispatcher


SAP Web Dispatcher and SSL


Configuring the SAP Web Dispatcher to Support SSL


http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000401180&

http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000401180&







http://bestbuiltapps.sap.com/










Technical Connectivity GuideFurther Reading


Using the Secure Sockets Layer Protocol with the AS ABAP


You find an overview on how to enable SAP Web AS (1) for SSL support.

Enable / enforce SSL with client certifications on SAP Web AS / SAP Web Dispatcher: icm/HTTPS/verify_client


7.3 SAP Developer Network

SAP Developer Network (SDN) Home: http://www.sdn.sap.com/

SAP Developer Network Forum on Service-Oriented Architecture: http://forums.sdn.sap.com/forum.jspa?forumID=101

7.4 SAP Press Books

Thomas Schneider: SAP Performance Optimization Guide, SAP Press, Bonn / Boston, 2011, ISBN 978-1-59229-368-1

7.5 SAP Notes

SAP Note Number Short Text

833960 Supported Application Gateway Configurations





http://www.sdn.sap.com/

http://forums.sdn.sap.com/forum.jspa?forumID=101


www.sap.com/contactsap

Technical Connectivity Guide - On-Demand Solutions

© 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System ads, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

sap cod_techincal connectivity guide

Documents