Security Information for SAP

Web Dispatcher
To guarantee maximum security when the Web Dispatcher is running, SAP recommends the
following measures:

 Always use the most up-to-date SAP Web Dispatcher: SAP Note 538405 describes where you can
find the newest version. Search regularly for SAP Security Notes that affect the SAP Web
Dispatcher.

 Use HTTPS instead of HTTP.

o Use the rewrite handler to configure a protocol switch from HTTP to HTTPS. This fully prevents the
use of unencrypted HTTP. This also prevents error messages in the browser if users inadvertently
access the system with an HTTP URL. Note that not all HTTP clients follow the redirect. Even if this
redirect configuration ensures that no HTTP access to the system is possible, it is possible that
individual users of the system, e.g. web service end points, must also be switched from HTTP to
HTTPS.

o Also use HTTPS between the SAP Web Dispatcher and the back-end systems. Use profile
parameter: wdisp/ssl_encrypt, if the network between SAP Web Dispatcher and the back-end
systems is not sufficiently secured otherwise.

 Use filters to restrict access to your system at different levels. SAP Web Dispatcher provides various
filtering mechanisms. We recommend you use the most simple mechanism that meets security
requirements. For example, if ACLs are sufficient, use these. The next level would be the
authentication handler, and the top level would be the rewrite handler. This avoids an unnecessarily
complex configuration, which itself contributes to system security too.

o If you specify negative lists (deny entries) in URL filters, use case-insensitive filters because the
ABAP application server treats URLs as case-insensitive.
Filter mechanism ACL files Authentication Handler HTTP Rewrite Handler

Use Use ACL files to restrictUse the authentication Use the HTTP rewrite handler for
access to specific client handler to set up URL filters that cannot be mapped by
IP addresses or client IPfilters. Rules in the ACL files or the authentication
address areas if the authentication handler canhandler. The rewrite handler is a
restriction does not also refer to specific clientpowerful tool for various filtering
depend on the content ofIP addresses, or to server mechanisms. It enables large
the HTTP request (nor on
IP addresses. amounts of data in an HTTP request
the URL), and no HTTP to be checked and linked using a set
error page is required. of rules. Different actions can be
performed for the appropriate
request.

Reloading the Is possible Is possible Is possible

Configuration File
Dynamically

Positive or negative
 Yes, both  Yes, both  Yes, both
lists

  Mixed also possible

Mixed also possible Mixed also possible

Filterung auf URLs, No

 Yes  Yes
Behandlung von
Groß- und   Case sensitivity can be
Default setting is case-
Kleinschreibung insensitive configured for each filtering rule

 Is configurable

Security logging Yes Yes No

 Filter mechanism ACL files Authentication Handler HTTP Rewrite Handler

Filtering on client IPYes Yes Yes

addresses, including
net masks

Use the Web dispatcher as a URL filter with positive lists. Definitely filter the following URLs as these
provide details of the infrastructure and the configuration:

 /sap/public/icman/*

 /sap/public/ping

 /sap/public/icf_info/*

 Use HTTP Logging and Security Logging.

 Make the following settings to increase security for the Web Admin interface.

o Use HTTPS to prevent the password being spied on. To do this, in the URL use an HTTPS port that
you set up with profile parameter icm/server_port_<xx>.

o Allow the administration of the SAP Web Dispatcher to be done only on ports with a secure protocol
(HTTPS), by setting the PORT option of the profile parameter icm/HTTP/admin_<xx> to an HTTPS
port.

o Configure admin ports that can only be accessed from the internal network. To do this, use
the PORT option of the profile parameter icm/HTTP/admin_<xx>.

o Only allow administration tasks to be done under a specific host name/IP address that can only be
accessed from the internal network. To do this, use the option HOST of the profile
parameter icm/HTTP/admin_<xx>.

o Restrict the administration to clients in the internal network. To do this, use the CLIENTHOST option
of the profile parameter icm/HTTP/admin_<xx>.
 Deactivate support of public monitoring information in the Web admin interface. To do this, use
subparameter ALLOWPUB=FALSEof profile parameter icm/HTTP/admin_<xx>.
If ALLOWPUB=FALSE, access to administration pages without having to log on is fully deactviated.
If ALLOWPUB=TRUE, in the path "public/index.html" read access to certain administration pages are
allowed without having to log on (for example, "Monitor", "Active Services", "Core Thread Status",
"Host Name Buffer", "Release Information", and "MPI Status"). Access to these pages without
having to log on should be restricted. This can be done with
subparameters HOST and CLIENTHOST of profile parameter icm/HTTP/admin_<xx>.

For up to date information about security settings for the SAP Web Dispatcher, see SAP
Note: 870127 .