SAP Web Dispatcher 6.40 - Webinar Power Point

SAP Web
Dispatcher 6.40 for

SAP Web AS Java
Jochen Rundholz
NW RIG APA
RIG Know How Conf Calls
Please:
All participants will be muted
Questions in the Q&A section at the end
Important issues via WebEx chat
Mute your phone
Use the Mute button where available or
Key in *6* to mute and *6* to unmute in case you want to ask a question
Give feedback for further improvements
© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 2

Introduction
Installation
Administration
Introduction Web Applications and Web Servers
Introduction Load Balancer
Requirements of Business Web Applications
Scalability and performance

Scale out via additional applicaton server Loadbalancer
necessary
Dynamic content leads to low fraction of cachable content
Transcational
Session persistance necessary
Security
Protection of application servers (DMZ, revers proxys, fire walls, ...)
Authentication
Encryption
Stability
High availibility is necessary

"Old" SAP Application Server Architecture
RFC
SAP Client/
GUI Server
DIAG
RFC
Dispatcher
Gate-
way
Work
Processes
RDBMS

SAP Web Application Server 6.40
RFC
Browser SAP Client/
GUI Server
HTTP
DIAG
RFC
Dispatcher
Gate-
way
Work
Processes
ICM RDBMS
J2EE
Server
Processes
J2EE
Dispatcher

System Communication
Web Browser/
SAP GUI
Web Server
Internet
Central Services
ICM Message-
Enqueue-
Enqueue- Message-
MS Server
Server Server
Server
MPI HTTP
ABAP-Dispatcher Java-Dispatcher
SDM
Server . . . Server
WP ... WP JCo
ABAP JAVA

Introduction Web Applications and Web Servers
Introduction Load Balancer
Load Balancing Design Criteria
Load balancing mechanism (client or server side)
End-to-end SSL or SSL termination in load balancer.

In-depth vs. end-to-end security, need to inspect traffic
Persistence mechanism (session ID or IP address)
Client certificate authentication
Cost of device
Performance
Robustness and high availability
Ease of configuration and operation (TCO)
Integration into existing infrastructure and security policy

Facts and Features of SAP Web Dispatcher
Usability
Single point of access only one URL for user, only one official IP
address
Load balancing and configuration via message server
Scalability and performance

Software solution, not a hardware solution
Transactional
Session persistence via cookie (HTTP) or IP address (HTTPS)
Security
Protection of application servers (DMZ, reverse proxy, fire walls, ...)
Authentication
SSL Termination, end to end SSL, re-encryption
Simple request filtering

Hardware Load Balancer vs. SAP Web Dispatcher
Pro
Additional features
Re-use existing infrastructure
Unified Web infrastructure for all Web systems (SAP and non-SAP)
Contra
Cost
Less integrated with SAP Web AS
Configuration, operation, maintenance requires special expertise

Load Balancing Mechanisms (Redirection & DNS)
Redirections
Simple
Bad user experience and maintenance
DNS based methods

Perhaps OK for intranet
OK for global load balancing
Generally not OK for server load balancing

Drawbacks of Redirection
Many official external DNS names and IP addresses
Confusing for the user, bookmarking destroys load balancing
With SSL
Server certificate must match URL
Every application server needs separate server certificate
High administrative overhead
Expensive
May lead to unnecessary user authentication dialogs

Load Balancing Mechanisms (Server Side)
Load balancing device

Transparent for client
Always the same URL
One official IP address for all application servers
One server certificate for all servers
Technically challenging
Application
Usually preferable Server
Load
Balancer
Application
Server
Application
Server

Web Dispatcher
Message
Server
Central
Instance RDBMS
SAP
Web
Dispatcher
http://web.acme.com
Dialog
Instance
Dialog
Instance

Web Dispatcher For Multiple SAP Web AS
Multiple Web Dispatchers on different TCP ports
SAP Web Corporate

443
Dispatcher Network
SAP Web
AS
https://web
IP
https://web:444
SAP Web Corporate

444
Dispatcher Network
SAP Web
Not recommended AS
J2EE session cookies
overwrite each other.
SSL to port other than 443
often not possible
Web Dispatcher For Multiple SAP Web AS
Multiple Web Dispatchers on different (virtual) IP addresses
SAP Web Corporate

IP1 443
Dispatcher Network
SAP Web
AS
https://web1
https://web2
SAP Web Corporate

IP2 443
Dispatcher Network
SAP Web
AS
Recommended

Integration Into Web Server / Reverse Proxy
Integrate SAP Web AS services into Web site
Web Server
Internet
Static Web
other
Pages
443
Firewall
Firewall
Reverse Proxy SAP Web
/sap*
Module AS
Optional Web
Forward requests for Dispatcher
/sap* to SAP Web AS for Scaling

Network Security
Optional high security network with internal firewall
Secure Server
Secure Serv. Internal
Internal Server High Security
Network (DMZ) Network
Server
Network Network
(DMZ) Network
Protected
Web Servers
Web Servers Applications
Applications Applications
Internet
Internet
Firewall l
Firewall l
Firewall
Firewal
Firewal
Firewall
DB
Database DB
Access DB
Intern.
Firewall
Router Application
Application SAP
SAPWeb
Web Firew. R/3, FI, HR
& Application
Application
Firewall Proxy
Proxy etc.
Server
Server

Introduction
Installation
Administration
Sizing
Installation
High Availability
CPU Sizing
No measurements available yet

Main factor is the usage of SSL
No SSL at all
Termination of SSL
Termination and re-encryption of SSL
Termination of SSL is expensive
Re-encryption is not very expensive since only the handshake is
expensive and the handshake between server and SAP Web Dispatcher
has to be done only every couple of hours

Memory sizing
Memory usage for internal tables

Server tables
Holding information about connected servers
Usually very small (90 kB default, few MB for very large system)
Connection tables
Holding information about the open connections
concurrent_conn = (users * req_per_dialog_step *conn_keepalive_sec)/
(thinktime_per_diastep_sec)
mpi/total_size_mb = (concurrent_conn * mpi_buffer_size)/(1024* 1024)
Default: mpi_buffer_size = 32kB
Default: mpi/total_size_mb = 500
End to End SSL table

1.8 MB for 10.000 entries

Sizing
Installation
High Availability
Installating the SAP Web Dispatcher
Media for the web dispatcher is provided with the J2EE kernel:
C:\usr\sap\<SID>\<Central-Instance>\exe\sapwebdisp.exe
icmadmin.SAR
To install and setup the SAP Web Dispatcher:

1. Download kernel files from SAP service market place
2. Extract kernel using sapcar -xvf
3. Copy the sapwebdisp.exe and icmadmin.SAR files to a directory
on what is to be the Web Dispatcher host.
4. Use sapcar –xvf to extract the icmadmin.SAR file into that
directory.
5. Execute sapwebdisp –bootstrap to generate an initial profile for
the Web Dispatcher
6. Start the web dispatcher with sapwebdisp pf=sapwebdisp.pfl

Download from service.sap.com/download

Unpack kernel
These are only the minimum files sometimes additional files might be used/helpful
Unpack icmadmin.SAR & Folder Structure

Configuring the SAP Web Dispatcher
Necessary Input
Important Information

Basic files after installation
Developer Trace
Hashed Password of User
SAP Web Dispatcher executable
SAP Web Dispatcher profile

Additional Information
Some additional information regarding the installation

Version information via sapwebdisp -v
Trace file dev_webdisp in web dispatcher directory
MS platforms: msvcp71.dll and msvcr71.dll must exist (OSS 684106)
Start SAP Web Dispatcher via
sapwebdisp.exe pfl=<drive>:\<path>\sapwebdisp.pfl
OSS notes: 538405

Sizing
Installation
High Availability
Web Dispatcher High Availability
SAP Web
Dispatcher
Redundant
Network
Infrastructure Fail-
Corporate
Over
Network
SAP Web
AS
SAP Web
Dispatcher
High availability
cluster

High Availability of SAP Web Dispatcher - Basics
Some basic information

Fail over software has to be provided by hardware partner
No automatic restart possibility of web dispatcher process in case of
process crash on MS or iSeries platforms
Automatic restart possibility given on UNIX platforms via watchdog

Watchdog on UNIX
Setup on watchdog on UNIX

Start the SAP web dispatcher with the option –auto_restart
The SAP web dispatcher will fork and creates a child process
Both processes have access to the same resources
The child process will take over the actual work, the parent process
provides the watchdog functionality

Introduction
Installation
Administration & Configuration

Basics
Load Balancing
Session Persistence
SSL Options
sapwebdisp.pfl
Typical Web Dispatcher Parameter File:

Basic Profile parameters
These are the most basic profile parameters

SAPSYSTEM
Must be unique on the host and must be in the range between 0 – 98
Used to distinguish shared memory segments of different SAP Web
Dispatchers on the same host
rdisp/mshost
Hostname of the host where the message server is running (in case of double
stack installation the ABAP MS has to be used)
ms/http_port
Port of the message server
wdisp/auto_refresh
Time to refresh internal routing tables
icm/server_port_0
protocol and port where the dispatcher is listening for incoming requests
icm/http_admin_0
Configuration of admin access

Administration Tool
dev_wdisp
sapwebdisp.pfl plus default values
sapwebdisp -v

Basics
Load Balancing
Session Persistence
SSL Options
Load Balancing Mechanism: Overview
Load balancing device needs information about system state
Configuration
Manual
Retrieve from SAP Message Server (hosts, port numbers, ...)
Load balancing
Round-robin (weighted)
Load-based
Use information from SAP Message Server
High availability
Check individual Web AS instances
Use information from SAP Message Server

Load Balancing Server Determination

Load Balancing: Capacity
Capacity value is provided by message server
Capacity of an instance is equal to the number of server

processes of that instance
Capacity value from message server can be overwritten by

configuration (OSS note 645130)

Load Balancing Strategy
wdisp/load_balancing_strategy
weighted_round_robin (default): requests are distributed in turn to
the servers, depending on their relative capacity
Preferable for end to end SSL
simple_weighted_round_robin: requests are distributed in turn to

the servers, depending on their absolute capacity
Preferable for very large systems (amount of application servers)

Load Balancing: Overruling Message Server
Set the parameter wdisp/server_info_location =

UNIX: file:///<Path>/info.icr
MS: file://C:\< Path>\info.icr
The file info.icr looks like

Version 1.0
J2EE3537200
J2EE host1 50000 LB=2
LB values have to be identical
P4 host1 50004 LB=2
J2EE23799700
J2EE host2 50200 LB=1
P4 host2 50204 LB=1
The format is:
J2EE<Server node>
J2EE <hostname> <Port> LB=<capacity>
P4 <hostname> <Port> LB=<capacity>

Monitoring Load Balancing
These values change over time,

according to the load balancing
strategy

Basics
Load Balancing
Session Persistence
SSL Options
Load Balancing + Stateful User Sessions
Session
State
Application
est Server
re qu
1st
Load
Balancer
2n d
req
u es
t Application
Server

Stateful User Sessions
Complex applications are usually stateful

Hold database locks
Store intermediate SQL results etc.
Session state persistent between requests ("roll area")
HTTP is a stateless protocol

Successive requests may open a new network connection
SAP Web AS uses session ID to recognize user session

Session cookie
Part of the request URL ("URL rewriting")

Persistence Mechanisms
Session ID (Cookie or URL)

Detect actual application need for session persistence
Requires no state in load balancer, because SAP session ID contains
application server instance name
Requires access to clear text HTTP request (Termination of SSL in LB)
IP address of client
Works also with encrypted traffic
Problems with proxies not good for Internet
No way to detect stateless requests
Problems with alternative host names
Cookies inserted into the data stream by load balancer

Works "out-of-the-box"
Problems with some SAP applications
Requires access to clear text HTTP request
Basics
Load Balancing
Session Persistence
SSL Options
Secure Socket Layer
Encryption is required for business applications

Protect user credentials (e.g. passwords)
Data security
Secure Socket Layer (SSL)
SSL encrypts entire communication between browser and server
Server authentication (mandatory)

Browser verifies, that server certificate matches URL
Client authentication with X.509 certificates (optional)

Server takes identity of user from browser certificate
End point of SSL session is either

Application Server (end-to-end security)
Web infrastructure component (in-depth security)

Web Dispatcher In DMZ
Web Dispatcher is an application layer gateway, but does not have

full reverse proxy functionality.
Internet
Firewall
Firewall
SAP Web Corporate
Dispatcher Network
SAP Web
AS
Possibly
filter
requests
End-to-end SSL or Encrypted or

SSL Termination clear text traffic
Web Dispatcher End-to-end SSL Mode
Pro
Client authentication with X.509 certificates
End-to-end data security
Load balancer is "untrusted" component
Contra
Persistence based on client IP address only
Load balancing problems
Proxies
End-of-session
But: IP address based persistence usually OK in intranet
No logon groups
No distinction between J2EE and ABAP applications

End-to-End SSL Revisited
All servers used by an SAP System
SAP Web Dispatcher SAP System host1

host1
host1
share the same certificate host1
Application
Application
Server
Good: few certificates Server
Bad, because: internal
host1
host1 host1
host1
Application
Every load balancer must Application
Server
Load
Load
use an exclusive set of Balancer
Balancer Server
servers
external
external
host2
Multiple load balancers host2 host2
host2
Application
must use non-overlapping Application
Server
Load
Load Server
groups of servers Balancer
Balancer
Example: different URLs host2
host2
for internal and external Application
Application
Server
users Server

Web Dispatcher SSL Termination Mode
Pro
Persistence based on application session ID
Logon groups
Detection of application type (ABAP / J2EE), select correct server
Request parsing and URL Filtering
SSL re-encryption is possible
Contra
Harder to configure
Web Dispatcher becomes "trusted component“ (secure channel to
WebAS needed)
Make sure Web Dispatcher does not become performance bottleneck

Feedback
Please provide any feedback to improve our services!
jochen.rundholz@sap.com
Thank You !

Questions?
Q&A

SAP Web Dispatcher 6.40 - Webinar Power Point

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

SAP Web Dispatcher 6.40 - Webinar Power Point

Încărcat de

Drepturi de autor:

Formate disponibile

SAP Web

Dispatcher 6.40 for

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 2

Scalability and performance

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 5

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 6

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 7

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 8

Load balancing mechanism (client or server side)

End-to-end SSL or SSL termination in load balancer.

Robustness and high availability

Ease of configuration and operation (TCO)

Integration into existing infrastructure and security policy

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 10

Scalability and performance

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 11

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 12

DNS based methods

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 13

Many official external DNS names and IP addresses

Confusing for the user, bookmarking destroys load balancing

May lead to unnecessary user authentication dialogs

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 14

Load balancing device

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 15

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 16

Multiple Web Dispatchers on different TCP ports

SAP Web Corporate

SAP Web Corporate

Multiple Web Dispatchers on different (virtual) IP addresses

SAP Web Corporate

SAP Web Corporate

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 18

Integrate SAP Web AS services into Web site

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 19

Optional high security network with internal firewall

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 20

No measurements available yet

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 23

Memory usage for internal tables

End to End SSL table

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 24

To install and setup the SAP Web Dispatcher:

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 26

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 27

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 29

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 30

Hashed Password of User

SAP Web Dispatcher executable

SAP Web Dispatcher profile

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 31

Some additional information regarding the installation

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 32

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 34

Some basic information

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 35

Setup on watchdog on UNIX

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 36

Administration & Configuration

Typical Web Dispatcher Parameter File:

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 39

These are the most basic profile parameters

© SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 40