Skip to Content

We have MDC for HANA.When I am trying to open XS Administration Tool i.e the URL (http://hostname:8000/sap/hana/xs/wdisp/admin/)

itself I am getting below error.

Capture.JPG

After checking the trace, I see that the Web Dispatcher is actively denying the access to the administration page due to its settings:

[Thr 139637169854208] HttpModExecuteRule: execute RewriteRule [0]

“RegIForbiddenUrl ^/sap/hana/xs/wdisp/admin/(.*) -“

[Thr 139637169854208] HttpModExecuteRule: apply pattern

“^/sap/hana/xs/wdisp/admin/(.*)” to path: “/sap/hana/xs/wdisp/admin/”

[Thr 139637169854208] HttpModExecuteRule: pattern

“^/sap/hana/xs/wdisp/admin/(.*)” matched path:

“/sap/hana/xs/wdisp/admin/”

I could see the Rule file contains below

Hostname:/usr/sap/<SID>/HDB00/hostname/tmp> more default_mod_rules_admin_ui

#These are the default modification rules used for restricting accessto

the Admin UI to SingleDb and SystemDb users only!

if %{SID} != —

RegIForbiddenUrl ^/sap/hana/xs/wdisp/admin/(.*) – [break]

Hostname:/usr/sap/<SID>/HDB00/hostname/tmp>

These files are not meant to be edited manually.Even if you edit it and restart the webdispatcher this file will be generated automatically to its previous status.

Apparently the file ‘default_mod_rules_admin_ui’ is auto-generated after doing some webdispatcher configuration on HANA,every time restart of webdispatcher ,this file will be re-written.The reason we have this ‘default_mod_rules_admin_ui’ file to restrict access to #/sap/hana/xs/wdisp/admin/’ is because the Web Dispatcher Administration must not be accessed by tenant DB users since there is one Web Dispatcher for multiple tenants.As a consequence access to the Web Dispatcher Administration is only allowed for SystemDB user.Due to the fact that the Web Dispatcher has no knowledge about which DB is the SystemDB, access is by default forbidden for all users and has to be manually enabled for the SystemDB.

1) Therefore, In your configuration you have to set the parameter wdisp/enable_admin_ui_for_sid=<Instance Name> in webdispatcher.ini. Then restart webdispatcher.

     Captures.JPG

You can refer to the note 2017899 – HANA Web Dispatcher – Multi DB – Access to Administration UI is restricted to System DB users

Example:

#wdisp/system_0=SID=$(SAPSYSTEMNAME), EXTSRV=http://localhost:3$(SAPSYSTEM)14,SRCVHOST=hostname.abc.com  #This system represents the System DB

#wdisp/system_1=SID=TN1, EXTSRV=http://localhost:3$(SAPSYSTEM)42,SRCVHOST=hostname-TN1    # This system represents a Tenant DB

#wdisp/enable_admin_ui_for_sid = SYS  # Only users in the System DB that have the role   sap.hana.xs.wdisp.admin::WebDispatcherAdmin  or sap.hana.xs.wdisp.admin::WebDispatcherMonitor  are authorized to access the Admin UI.

Therefore, the correct URL should be:

http://hostname.abc.com:8000/sap/hana/xs/wdisp/admin.

2) Please ensure that the permissions for SYSTEM User within HANA Studio are correct. To configure these:

Start HANA and connect to the HANA Server

Navigate to Security, then Users

Open user SYSTEM

On the Granted Roles tab click the green + to add a role

Search for role: sap.hana.xs.wdisp.admin::WebDispatcherAdmin or sap.hana.xs.wdisp.admin::WebDispatcherMonitor

Only users in the System DB that have the above roles are authorized to access the Admin UI.

You can refer to sap note   2107899 – HANA Web Dispatcher – Multi DB – Access to Administration UI is restricted to System DB users

This behavior was a security issue fixed with Revision 91. As a result, it is unfortunately not described in the original HANA Admin Guide for SPS 9. However, this is only required for SP09. In SP10 this is done automatically.

Also you will get #403 access denied# if you try to access the Web Dispatcher Admin UI using the tenant DB (http://Tenant-DB:8000/sap/hana/xs/wdisp/admin). This is in fact an expected behavior because in MultiDB system Tenant DBs are not supposed to have access to the Web Dispatcher Admin. Only the System DB is able to access the Admin UI.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply