today I would like to share with you some insights on Web Dispatcher configuration for a Portal system. I set up a demo system for Fiori launchpad on Portal including various types of content like Fiori apps (different waves), Personas, Mobile documents, and more. Since the new Fiori iView template (for Fiori apps wave 2 and above) only runs correctly, when the system which hosts the Fiori wave 2+ application is set up to use Web Dispatcher, we decided to have all calls going via the Web Dispatcher.

What I will show you in this blog is just an example of how our system was configured. Of course, this cannot be transferred one to one to other systems, so the intention is more to give you some kind of lead.

Let me first give you a short overview of our landscape which is geographically distributed:

We have a portal system running in Germany (in the Web Dispatcher file, I just changed that to domain: dom3), a Personas system in a second country (dom2), and a Fiori ERP system which is located in a third country (dom1) and also hosts the HANA system and the Web Dispatcher.

We configured all systems to support SSL.

This is our web dispatcher configuration file:







_PF = $(DIR_PROFILE)/<file-name-of-profile-file>







# Accesssability of Message Server


rdisp/mshost = fiori.dom1.corp

ms/http_port = 8101


# Configuration for medium scenario


icm/max_conn = 500

icm/max_sockets = 1024

icm/req_queue_len = 500

icm/min_threads = 10

icm/max_threads = 50

mpi/total_size_MB = 80


# SAP Web Dispatcher Ports


icm/server_port_0 = PROT=HTTP,HOST=fiori.dom1.corp,PORT=81$$

icm/server_port_1 = PROT=HTTPS,HOST=fiori.dom1.corp,PORT=4050

icm/server_port_2 = PROT=HTTP,HOST=fiori.dom1.corp,PORT=8101

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=81$$


# Start webdispatcher



Execute_00 = local rm -f $(_WD)

Execute_01 = local ln -s -f $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) $(_WD)

Start_Program_00 = local $(_WD) pf=$(_PF)


#Configuration Entries

wdisp/system_conflict_resolution = 1

wdisp/add_clientprotocol_header = 1

wdisp/handle_webdisp_ap_header = 1

wdisp/add_xforwardedfor_header = true


rdisp/TRACE = 1

# Automatic Rendering Info of systems

#wdisp/group_info_protocol = http

#wdisp/ping_protocol = http

#wdisp/url_map_protocol = http

wdisp/ssl_encrypt = 1

ssl/ssl_lib = /usr/sap/<system-name>/SYS/exe/f/g/libsapcrypto.so

ssl/server_pse = /usr/sap/<system-name>/<instance-name>/sec/SAPSSLS.pse

ssl/client_pse = /usr/sap/<system-name>/<instance-name>/sec/SAPSSLS.pse

icm/HTTPS/verify_client = 1

wdisp/ssl_auth = 1

icm/HTTPS/forward_ccert_as_header = true

icm/HTTP/mod_0 =PREFIX=/, FILE=/usr/sap/<system-name>/SYS/profile/rewrite.txt

wdisp/system_0 = SID=<system-ID HANA>, EXTSRV=https://fiori.dom1.corp:4302,SRCSRV=*:4050, SRCURL=/sap/hba/;/sap/hana;/sap/bi;/sap/ui5;/sap/check

wdisp/system_1 = SID=<system-ID HANA>, EXTSRV=http://fiori.dom1.corp:8002,SRCSRV=*:8120, SRCURL=/sap/hba/;/sap/hana;/sap/bi

wdisp/system_2 = SID=<system-ID Personas>, MSHOST=personas.dom2.corp, MSPORT=8100,SRCSRV=*:4050, SRCURL=/sap/bc/personas;/sap/public/icmandir

wdisp/system_3 = SID=<system-ID Fiori>, MSHOST=fiori.dom1.corp, MSPORT=8101,SRCSRV=*:8120;*:4050, SRCURL=/sap/bc/;/sap/public/bc/;/sap/opu/odata;/sap/opu/sodata/;/sap/es,  CLIENT=004

wdisp/system_4 = SID=<system-ID Portal>, EXTSRV=https://portal.dom3.corp:50001, SRCSRV=*:4050, SRCURL=/irj/;/

wdisp/system_5 = SID=<system-ID Portal>, EXTSRV=https://portal.dom3.corp:50001, SRCSRV=*:4050, SRCURL=/mcm/;/

In the section SAP Web Dispatcher Ports, we configured a port for HTTP as 81+system number, being 8120, and the port for HTTPS as 4050. To make communication more secure, we use SSL and now call our portal at https://fiori.dom1.corp:4050/irj/portal (because the Web Dispatcher runs on the fiori.dom1 system). Personas applications are called at https://fiori.dom1.corp:4050/sap/bc/personas/ + some parameters, while the relative path to Fiori applications starts with /sap/bc/ui5_ui5/.

To overcome possible resolution conflicts, we set wdisp/system_conflict_resolution = 1, so the first fitting system entry is selected and put first

wdisp/system_2 = SID=<system-ID Personas>, MSHOST=personas.dom2.corp, MSPORT=8100,SRCSRV=*:4050, SRCURL=/sap/bc/personas

to filter for all personas application calls, and then

wdisp/system_3 = SID=<system-ID Fiori>, MSHOST=fiori.dom1.corp, MSPORT=8101,SRCSRV=*:8120;*:4050, SRCURL=/sap/bc/;/sap/public/bc/;/sap/opu/odata;/sap/opu/

to direct all other calls with a relative URL starting with /sap/bc/ to the Fiori system.

Note that for the message server entries for both the Fiori and the Personas system are defined using parameter MSPORT and the http port, as SSL is only used for the connection to the backend application server, but not to the message server.

In general, there are different manners how web dispatcher can be configured for SSL, but we decided to use SSL re-encryption where the Web Dispatcher decrypts the HTTPS request and then SSL-encrypt the request again before forwarding it to the web application server. This is configured by

1. Setting PROT=HTTPS for the ICM/server_port: icm/server_port_1 = PROT=HTTPS,HOST=fiori.dom1.corp,PORT=4050

(for decrypting the request)

2. Setting wdisp/ssl_encrypt = 1 (for encrypting the request again)

3. Configure the web dispatcher with PSEs, signed certificates, and credentials according to the documentation (http://help.sap.com/saphelp_nw73/helpdata/en/49/3db10a19341067e10000000a42189c/content.htm?frameset=/en/49/3e82e882a33e90e10000000a42189c/frameset.htm&current_toc=/en/cd/a3937849b043509786c5b42171e5d3/plain.htm&node_id=182&show_children=false).

If you are interested in more details and a much more complete guide on Web Dispatcher configuration for SSL, I highly recommend reading How to Configure SAP WebDispatcher for SSL. A great guide!


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

Leave a Reply