Skip to Content

Business case


We are going to provide CRM Survey’s via personalized Mails to external Customers. The Link had to access our internal SAP CRM Web AS 6.20. To make this secure I had to make sure that only the Survey URL can be called. I’ve installed the SAP Web Dispatcher and configured the URL Filter.


Network Layout




Internet
 


Firewall—web server in DMZ (www.test.com)


Internal Network
 

CRM Server   Other Servers and Clients
(crm.test.com)

The web server is running SuSE Linux 9.0 with an Apache web server. The web server is accessible from the Internet via HTTP and HTTPS on the default Ports 80 and 443.


Prerequisites


DNS Setup


To avoid problems with different Hostnames the Name of the Web AS in the Internet has to be the same as in the Intranet. With the separate name we can configure a VirtualServer in Apache. I set up this DNS entries:

    • External DNS: crm.test.com is a Alias to www.test.com
    • Internal DNS crm.test.com resolves to the IP Address of the Server i. e. 192.168.2.2
    • Webserver /etc/hosts 192.168.2.2 crm crm.test.com

With this configuration you can use the Name crm.test.com during the Web Dispatcher configuration.


Ports


Check out the SAP Web Dispatcher Documentation for an overview of the functionality.


Preparation


Download the latest available DW Package and Unicode Library (uclib) from http://service.sap.com/patches/ -> Support Packages and Patches -> SAP NetWeaver -> SAP NETWEAVER -> SAP NETWEAVER 04 -> Entry by Component -> Application Server ABAP -> SAP KERNEL 6.40 32-BIT UNICODE -> Linux on IA32 32bit -> #Database independent: dw_94-20000247.SAR and UCLIB_3-20000247.SARRead Note 552286</li>
</ul>


Implementation


After the preparation you can run the Command “./sapwebdisp –bootstrap” to create a basic Web Dispatcher configuration. During the run you have to provide:

    1. Hostname of Message Server
    2. HTTP Port of Message Server
    3. Instance Number for SAP Web Dispatcher
    4. HTTP Port SAP Web Dispatcher
    5. Type of Configuration (small, medium, large)

When everything’s fine the Profile file “sapwebdisp.pfl” will be created and the Password of the Administration User “icmadm” will be returned. Please make sure to note this password. The SAP Web Dispatcher will be started automatically.


www:/usr/sap/CRP/sapwebdisp # ./sapwebdisp -bootstrap
SAP Web Dispatcher Bootstrap
============================
 
This bootstrap will perform the following steps:
1. create profile file "sapwebdisp.pfl"for SAP Web Dispatcher (if not already existing)
2. create user for web based administration in file "icmauth.txt"(if not already exisiting)
3. start SAP Web Dispatcher with the created profile
 
After the bootstrap you can use the web based administration
 
Generating Profile "sapwebdisp.pfl"
Hostname of Message Server (rdisp/mshost): crm.test.com
HTTP Port of Message Server (ms/http_port): 8100
Checking connection to message server...OK
Unique Instance Number for SAP Web Dispatcher (SAPSYSTEM): 00
HTTP port number for SAP Web Dispatcher: 8000
Create configuration for s(mall), m(edium), l(arge) system (default: medium): s
Profile "sapwebdisp.pfl" generated
Authentication file "icmauth.txt" generated
Web Administration user is "icmadm" with password "1871"
Restart sapwebdisp with profile: sapwebdisp.pfl
sapwebdisp started with new pid 25037
Please extract archive "icmadmin.SAR" to directory ./admin
Web administration accessable with "http://www:8000/sap/wdisp/admin/default.html"
 
SAP Web Dispatcher bootstrap ended (rc=0)
www:/usr/sap/CRP/sapwebdisp # *** SAP Web Dispatcher up and operational (pid: 25037) ***

You can press CTRL + C to stop the SAP Web Dispatcher.

To automatically start SAP Web Dispatcher I’ve created this script in “/etc/init.d/sapwebdisp”:


#!/bin/sh
 
case "$1" in
start)
if test -x /usr/sap/CRP/sapwebdisp/sapwebdisp ; then
echo "Starting SAP Web Dispatcher."
cd /usr/sap/CRP/sapwebdisp/
/usr/sap/CRP/sapwebdisp/sapwebdisp
pf=/usr/sap/CRP/sapwebdisp/sapwebdisp.pfl
-auto_restart
-f /usr/sap/CRP/sapwebdisp/dev_webdisp &
fi
;;
stop)
echo -n "Shutting down SAP Web Dispatcher:"
killproc -2 /usr/sap/CRP/sapwebdisp/sapwebdisp
echo
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
 
exit 0

Link the script to the runlevels you need it with:


insserv -d sapwebdisp


Setup URL Filter


  1. SAP Web Dispatcher permission table

D /sap/bc/bsp/sap/crm_svy_server/test*
P /sap/bc/bsp/sap/crm_svy_server/*
D *

With this configuration the Survey test page can not be accessed, Surveys can be accessed and no other pages can be accessed.

Finaly add this lines on the end of “sapwebdisp.pfl” to let the SAP Web Dispatcher take notice of the permission table:



  1. SAP Web Dispatcher as a URL Filter

wdisp/permission_table = urlfilter.pfl

Restart the SAP Web Dispatcher to activate this settings.


Configure Apache as reverse Proxy


You can find some reverse Proxy basics also here on SDN in https://weblogs.sdn.sap.com/pub/u/12086 [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] Weblog Series:

The Reverse Proxy Series — Part 1: Introduction

The Reverse Proxy Series — Part 2: IIS as a reverse-proxy</li>
</ul>


<p>Because we’re already running an Apache web server for our public website on Port 80 we can not attach the SAP Web Dispatcher to it. So Apache had to act as a reverse Proxy to access the SAPWeb Dispatcher. Here is the VirtualHost configuration:</p>


<pre class=”sapCode”>
<VirtualHost 192.168.1.2>
    DocumentRoot /srv/www/htdocs
    ServerName crm.test.com
    ErrorLog /var/log/httpd/host.crm.test.com-error_log
    CustomLog /var/log/httpd/host.crm.test.com-access_log combined
    ProxyPass           / http://localhost:8000/
    ProxyPassReverse    / http://localhost:8000/
</VirtualHost>
</pre>

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Dhandu Subramanian

    Gregor:/sapwebdisp. The directory we install on DMZ webserver should have directory structre like you mentioned. Can the DW and UCLIB be extracted to any directory specific directory structure we like.

    (0) 
  2. Jed Kirchenwitz
    Followed you instructions step-by-step, but am having troubles with teh web dispatcher shutting down immediately after I enter the ./sapwebdisp command.  Have you ever seen this before, and if so how have you gotten past this?
    (0) 
  3. Thomas Berger
    hello gregor,

    what you are thinking about the note 898104 ?

    If your SAP Web dispatcher is executed separately in the DMZ, SAP recommends to use the non-Unicode version.

    thomas

    (0) 
    1. Gregor Wolf Post author
      Hi Thomas,

      i was not aware of this recommendation. I’ve opened an OSS message asking SAP about the details and if there are problems with the non-unicode Web Dispatcher in front of a Unicode backend system.

      Regards
      Gregor

      (0) 
  4. Anonymous
    We have issue here is mostly related to external parties not being able to access the internal  servers where e.g. the surveys reside. 

    What is best option or the best practice to allow external people to Access Survey? Any Best Practice

    Appreciate your answer
    Regards,
    Irfan Bhimani

    (0) 
  5. Marisa Alejandra Alcaraz
    Hello Gregor,
    Many thanks for your blogs and inputs in SDN posts regarding to this matter.
    They were very useful since I’m blueprinting the survey scenario for customers via internet.

    Best regards,
    Marisa

    (0) 

Leave a Reply