Unable to open HANA XS Admin Page
We have MDC for HANA.When I am trying to open XS Administration Tool i.e the URL (http://hostname:8000/sap/hana/xs/wdisp/admin/)
itself I am getting below error.
After checking the trace, I see that the Web Dispatcher is actively denying the access to the administration page due to its settings:
[Thr 139637169854208] HttpModExecuteRule: execute RewriteRule [0]
“RegIForbiddenUrl ^/sap/hana/xs/wdisp/admin/(.*) -“
[Thr 139637169854208] HttpModExecuteRule: apply pattern
“^/sap/hana/xs/wdisp/admin/(.*)” to path: “/sap/hana/xs/wdisp/admin/”
[Thr 139637169854208] HttpModExecuteRule: pattern
“^/sap/hana/xs/wdisp/admin/(.*)” matched path:
“/sap/hana/xs/wdisp/admin/”
I could see the Rule file contains below
Hostname:/usr/sap/<SID>/HDB00/hostname/tmp> more default_mod_rules_admin_ui
#These are the default modification rules used for restricting accessto
the Admin UI to SingleDb and SystemDb users only!
if %{SID} != —
RegIForbiddenUrl ^/sap/hana/xs/wdisp/admin/(.*) – [break]
Hostname:/usr/sap/<SID>/HDB00/hostname/tmp>
These files are not meant to be edited manually.Even if you edit it and restart the webdispatcher this file will be generated automatically to its previous status.
Apparently the file ‘default_mod_rules_admin_ui’ is auto-generated after doing some webdispatcher configuration on HANA,every time restart of webdispatcher ,this file will be re-written.The reason we have this ‘default_mod_rules_admin_ui’ file to restrict access to #/sap/hana/xs/wdisp/admin/’ is because the Web Dispatcher Administration must not be accessed by tenant DB users since there is one Web Dispatcher for multiple tenants.As a consequence access to the Web Dispatcher Administration is only allowed for SystemDB user.Due to the fact that the Web Dispatcher has no knowledge about which DB is the SystemDB, access is by default forbidden for all users and has to be manually enabled for the SystemDB.
1) Therefore, In your configuration you have to set the parameter wdisp/enable_admin_ui_for_sid=<Instance Name> in webdispatcher.ini. Then restart webdispatcher.
You can refer to the note 2017899 – HANA Web Dispatcher – Multi DB – Access to Administration UI is restricted to System DB users
Example:
#wdisp/system_0=SID=$(SAPSYSTEMNAME), EXTSRV=http://localhost:3$(SAPSYSTEM)14,SRCVHOST=hostname.abc.com #This system represents the System DB
#wdisp/system_1=SID=TN1, EXTSRV=http://localhost:3$(SAPSYSTEM)42,SRCVHOST=hostname-TN1 # This system represents a Tenant DB
#wdisp/enable_admin_ui_for_sid = SYS # Only users in the System DB that have the role sap.hana.xs.wdisp.admin::WebDispatcherAdmin or sap.hana.xs.wdisp.admin::WebDispatcherMonitor are authorized to access the Admin UI.
Therefore, the correct URL should be:
http://hostname.abc.com:8000/sap/hana/xs/wdisp/admin.
2) Please ensure that the permissions for SYSTEM User within HANA Studio are correct. To configure these:
Start HANA and connect to the HANA Server
Navigate to Security, then Users
Open user SYSTEM
On the Granted Roles tab click the green + to add a role
Search for role: sap.hana.xs.wdisp.admin::WebDispatcherAdmin or sap.hana.xs.wdisp.admin::WebDispatcherMonitor
Only users in the System DB that have the above roles are authorized to access the Admin UI.
You can refer to sap note 2107899 – HANA Web Dispatcher – Multi DB – Access to Administration UI is restricted to System DB users
This behavior was a security issue fixed with Revision 91. As a result, it is unfortunately not described in the original HANA Admin Guide for SPS 9. However, this is only required for SP09. In SP10 this is done automatically.
Also you will get #403 access denied# if you try to access the Web Dispatcher Admin UI using the tenant DB (http://Tenant-DB:8000/sap/hana/xs/wdisp/admin). This is in fact an expected behavior because in MultiDB system Tenant DBs are not supposed to have access to the Web Dispatcher Admin. Only the System DB is able to access the Admin UI.
Thanks, this was helpful
Can you clarify what my settings should look like if my SID of my tenant is MC2 and my instance number is 00 and my ip is AB.CD.EF.GH?
I''ve added the websidapatcher role to user SYSTEM on both SYSTEMDB and MC2 tenant. But I am still getting access denied. It is not even asking for a username and password.
My trace file shows: [Thr 140006884448000] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-26): SSSLERR_HTTP_REQUEST [icxxconn.c 1723]
[Thr 140006884448000] *** WARNING => IcmConnInitServerSSL: Raw (non-SSL) traffic arriving at SSL port. Hint: This is usally caused by HTTP traffic arriving at the HTTPS port. [icxxconn.c 1740]
Matthew,
Did you find any solution to your issue? I am running into exact same error when trying to configure CTS via HALM.
CTS system is ABAP. RFCs from CTS to HANA Development shows no certificate issues.
thanks,
Vinod
Hi,
I'm not an ABAP user. But I think what I did was enable public_urls in HANA studio.
http://$(SAPLOCALHOST):80$(SAPSYSTEM)
https://$(SAPLOCALHOST):43$(SAPSYSTEM)
http://hsotname:8000/sap/hana/xs/wdisp/admin should prompt you for username/password if everything is running.
I probabaly re-installed HANA to make it work too, not sure.
Matthew,
I had all the public URLs configured and wdisp within dispatcher profile for tenants. I was still getting the issue. During CTS+ configuration in HALM, there was a step to add path prefix for SOAMANAGER EXPORT_CTS_WS web service. I removed path prefix and provided real URL. That resolved the http issue I was having.
Thanks for you prompt reply.
Vinod