Skip to Content
Author's profile photo M. RAHAMAN

Unable to open HANA XS Admin Page

We have MDC for HANA.When I am trying to open XS Administration Tool i.e the URL (http://hostname:8000/sap/hana/xs/wdisp/admin/)

itself I am getting below error.

Capture.JPG

After checking the trace, I see that the Web Dispatcher is actively denying the access to the administration page due to its settings:

[Thr 139637169854208] HttpModExecuteRule: execute RewriteRule [0]

“RegIForbiddenUrl ^/sap/hana/xs/wdisp/admin/(.*) -“

[Thr 139637169854208] HttpModExecuteRule: apply pattern

“^/sap/hana/xs/wdisp/admin/(.*)” to path: “/sap/hana/xs/wdisp/admin/”

[Thr 139637169854208] HttpModExecuteRule: pattern

“^/sap/hana/xs/wdisp/admin/(.*)” matched path:

“/sap/hana/xs/wdisp/admin/”

I could see the Rule file contains below

Hostname:/usr/sap/<SID>/HDB00/hostname/tmp> more default_mod_rules_admin_ui

#These are the default modification rules used for restricting accessto

the Admin UI to SingleDb and SystemDb users only!

if %{SID} != —

RegIForbiddenUrl ^/sap/hana/xs/wdisp/admin/(.*) – [break]

Hostname:/usr/sap/<SID>/HDB00/hostname/tmp>

These files are not meant to be edited manually.Even if you edit it and restart the webdispatcher this file will be generated automatically to its previous status.

Apparently the file ‘default_mod_rules_admin_ui’ is auto-generated after doing some webdispatcher configuration on HANA,every time restart of webdispatcher ,this file will be re-written.The reason we have this ‘default_mod_rules_admin_ui’ file to restrict access to #/sap/hana/xs/wdisp/admin/’ is because the Web Dispatcher Administration must not be accessed by tenant DB users since there is one Web Dispatcher for multiple tenants.As a consequence access to the Web Dispatcher Administration is only allowed for SystemDB user.Due to the fact that the Web Dispatcher has no knowledge about which DB is the SystemDB, access is by default forbidden for all users and has to be manually enabled for the SystemDB.

1) Therefore, In your configuration you have to set the parameter wdisp/enable_admin_ui_for_sid=<Instance Name> in webdispatcher.ini. Then restart webdispatcher.

     Captures.JPG

You can refer to the note 2017899 – HANA Web Dispatcher – Multi DB – Access to Administration UI is restricted to System DB users

Example:

#wdisp/system_0=SID=$(SAPSYSTEMNAME), EXTSRV=http://localhost:3$(SAPSYSTEM)14,SRCVHOST=hostname.abc.com  #This system represents the System DB

#wdisp/system_1=SID=TN1, EXTSRV=http://localhost:3$(SAPSYSTEM)42,SRCVHOST=hostname-TN1    # This system represents a Tenant DB

#wdisp/enable_admin_ui_for_sid = SYS  # Only users in the System DB that have the role   sap.hana.xs.wdisp.admin::WebDispatcherAdmin  or sap.hana.xs.wdisp.admin::WebDispatcherMonitor  are authorized to access the Admin UI.

Therefore, the correct URL should be:

http://hostname.abc.com:8000/sap/hana/xs/wdisp/admin.

2) Please ensure that the permissions for SYSTEM User within HANA Studio are correct. To configure these:

Start HANA and connect to the HANA Server

Navigate to Security, then Users

Open user SYSTEM

On the Granted Roles tab click the green + to add a role

Search for role: sap.hana.xs.wdisp.admin::WebDispatcherAdmin or sap.hana.xs.wdisp.admin::WebDispatcherMonitor

Only users in the System DB that have the above roles are authorized to access the Admin UI.

You can refer to sap note   2107899 – HANA Web Dispatcher – Multi DB – Access to Administration UI is restricted to System DB users

This behavior was a security issue fixed with Revision 91. As a result, it is unfortunately not described in the original HANA Admin Guide for SPS 9. However, this is only required for SP09. In SP10 this is done automatically.

Also you will get #403 access denied# if you try to access the Web Dispatcher Admin UI using the tenant DB (http://Tenant-DB:8000/sap/hana/xs/wdisp/admin). This is in fact an expected behavior because in MultiDB system Tenant DBs are not supposed to have access to the Web Dispatcher Admin. Only the System DB is able to access the Admin UI.

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Kunj Bihari Shukla
      Kunj Bihari Shukla

      Thanks, this was helpful

      Author's profile photo Matthew Wong
      Matthew Wong

      Can you clarify what my settings should look like if my SID of my tenant is MC2 and my instance number is 00 and my ip is AB.CD.EF.GH?

       

      I''ve added the websidapatcher role to user SYSTEM on both SYSTEMDB and MC2 tenant. But I am still getting access denied. It is not even asking for a username and password. 

      My trace file shows: [Thr 140006884448000] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-26): SSSLERR_HTTP_REQUEST [icxxconn.c 1723]
      [Thr 140006884448000] *** WARNING => IcmConnInitServerSSL: Raw (non-SSL) traffic arriving at SSL port. Hint: This is usally caused by HTTP traffic arriving at the HTTPS port. [icxxconn.c 1740]

      Author's profile photo Vinod Malatkar
      Vinod Malatkar

      Matthew,

      Did you find any solution to your issue? I am running into exact same error when trying to configure CTS via HALM.

      CTS system is ABAP. RFCs from CTS to HANA Development shows no certificate issues.

      thanks,

      Vinod

      Author's profile photo Matthew Wong
      Matthew Wong

      Hi,

      I'm not an ABAP user. But I think what I did was enable public_urls in HANA studio.

      http://$(SAPLOCALHOST):80$(SAPSYSTEM)

      https://$(SAPLOCALHOST):43$(SAPSYSTEM)

      http://hsotname:8000/sap/hana/xs/wdisp/admin should prompt you for username/password if everything is running.

      I probabaly re-installed HANA to make it work too, not sure.

      Author's profile photo Vinod Malatkar
      Vinod Malatkar

      Matthew,

      I had all the public URLs configured and wdisp within dispatcher profile for tenants. I was still getting the issue. During CTS+ configuration in HALM, there was a step to add path prefix for SOAMANAGER EXPORT_CTS_WS web service. I removed path prefix and provided real URL. That resolved the http issue I was having.

      Thanks for you prompt reply.

      Vinod