Over the years I’ve had to install and upgrade a number of SAP Web Dispatchers, the following is my go-to configuration for version 7.45 as per and starting with SAP Note 908097 SAP Web Dispatcher: Release, apply patches #/notes/908097/E

Note the following statements, “Version 7.45 is the recommended SAP Web Dispatcher version for all backend systems” and “SAP Web Dispatcher version 7.45 is installed and delivered in the Unicode variant, older versions were non-Unicode. The non-Unicode variant is installed in the ../nuc/.. directory instead of ../uc/”. Hence best to switch to ../uc/ when upgrading from a release prior to 7.45.

The configuration below is for a S/4 HANA (HANA system_0) & ABAP (system_1), default ports, supporting end-to-end HTTPS, running on a virtual IP (alias). I’ve also included references to SAP notes around some of the features and security parameters that I tend to enable for an internal install. Logging, HTTPS, http_mod configured as required.

The following  directories need to be created to support the config:


$(DIR_INSTANCE)/data/error_templ

$(DIR_INSTANCE)/log/httpaccess

$(DIR_INSTANCE)/data/cache/0

The following  files need to be created to support the config:


$(DIR_PROFILE)/$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_http_mod

$(DIR_PROFILE)/$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_permission_table

Parameters

# DEFAULT.PFL

SAPSYSTEMNAME = <SAPSID>

OS_UNICODE = uc

SAPGLOBALHOST = <hostname>

system/type =

#———————————————————————–

# Security

#———————————————————————–

# 2287039 – ICMAN – Redirect page shows server information

is/server_name = SAP

is/server_version = 1.0

# 2260323 – Internet Communication Manager (ICM) 7.20 security settings

is/HTTP/show_server_header = FALSE

is/HTTP/show_detailed_errors = FALSE

icm/HTTP/error_templ_path = $(DIR_INSTANCE)/data/error_templ

# INSTANCE_PROFILE.PFL

SAPSYSTEMNAME = <SAPSID>

SAPSYSTEM = <NR>

INSTANCE_NAME = W<NR>

DIR_CT_RUN = $(DIR_EXE_ROOT)$(DIR_SEP)$(OS_UNICODE)$(DIR_SEP)linuxx86_64

DIR_EXECUTABLE = $(DIR_CT_RUN)

SAPLOCALHOST = <HOSTNAME>

SAPFQDN = <FQDN>

SAPLOCALHOSTFULL = $(SAPLOCALHOST).$(SAPFQDN)

DIR_PROFILE = $(DIR_INSTALL)/profile

_PF = $(DIR_PROFILE)/$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_$(SAPLOCALHOST)

SETENV_00 = DIR_LIBRARY=$(DIR_LIBRARY)

SETENV_01 = LD_LIBRARY_PATH=$(DIR_LIBRARY):%(LD_LIBRARY_PATH)

SETENV_02 = SHLIB_PATH=$(DIR_LIBRARY):%(SHLIB_PATH)

SETENV_03 = LIBPATH=$(DIR_LIBRARY):%(LIBPATH)

SETENV_04 = PATH=$(DIR_EXECUTABLE):%(PATH)

#———————————————————————–

# Accessibility of Message Server

#———————————————————————–

# 2193190 – Web Dispatcher – wdisp/system_conflict_resolution – BEST_MATCH

wdisp/system_conflict_resolution = BEST_MATCH

# 1937653 – System specific SSL parameter for SAP Web Dispatcher

wdisp/system_0 = SID=HDB, EXTSRV=https://saphdb1.$(SAPFQDN):4300, SRCSRV=$(SAPLOCALHOST).$(SAPFQDN):443, SRCVHOST=<ALIAS0>.$(SAPFQDN):443, SRCURL=/sap/hba/;/sap/hana/;/sap/ui5/, SSL_ENCRYPT=2

wdisp/system_1 = SID=ERP, MSHOST=saperp1.$(SAPFQDN), MSSPORT=8100, SRCSRV=$(SAPLOCALHOST).$(SAPFQDN):443, SRCVHOST=<ALIAS1>.$(SAPFQDN):443, SCSHOST=saperpscs.$(SAPFQDN), NR=01, SSL_ENCRYPT=2, CONFIG_PROTOCOL=https

#———————————————————————–

# Configuration for default scenario

#———————————————————————–

# 2007212 – Tuning SAP Web Dispatcher and ICM for high load

icm/max_conn = 2000

#———————————————————————–

# SAP Web Dispatcher Ports

#———————————————————————–

# 421359 – ICM: Binding ports < 1024 on UNIX

icm/server_port_0 = PROT=HTTP, HOST=$(SAPLOCALHOST), PORT=80, TIMEOUT=360, PROCTIMEOUT=720, EXTBIND=1

icm/server_port_1 = PROT=HTTPS, HOST=$(SAPLOCALHOST), PORT=443, TIMEOUT=360, PROCTIMEOUT=720, EXTBIND=1, SSLCONFIG=ssl_config_0

# 2258786 – Potential information disclosure relating to SAP Web Administration Interface

icm/HTTP/admin_0 = PREFIX=/sap/admin/, DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir, HOST=$(SAPLOCALHOST).$(SAPFQDN), AUTHFILE=$(icm/authfile), PORT=443, ALLOWPUB=FALSE

icm/host_name_full = $(SAPGLOBALHOST).$(SAPFQDN)

#———————————————————————–

# Security

#———————————————————————–

# 2014996 – SSL Setup SAP Web Dispatcher

# 510007 – Setting up SSL on Application Server ABAP

icm/ssl_config_0 = VCLIENT=1, CRED=$(DIR_INSTANCE)/sec/SAPSSLS.pse

icm/HTTPS/verify_client = 1

icm/HTTPS/forward_ccert_as_header = TRUE

# 2160678 – SSO stops working when the “icm/HTTPS/trust_client_with*” parameters are configured

icm/HTTPS/trust_client_with_issuer = CN=<as required>

icm/HTTPS/trust_client_with_subject = CN=<as required>

# 2092630 – Turning off SSLv3 on SAP NetWeaver

ssl/ciphersuites = <as required>

ssl/client_ciphersuites = <as required>

wdisp/add_client_protocol_header = TRUE

wdisp/ssl_encrypt = 2

wdisp/ssl_auth = 2

wdisp/ssl_cred = $(DIR_INSTANCE)/sec/SAPSSLC.pse

wdisp/HTTP/use_pool_for_new_conn = 1

# 2180024 – HANA & ABAP: New Option to Enable/Disable FIPS 140-2 Certified Crypto Kernel

ccl/fips/enable = 1

#———————————————————————–

# Logging (System Specific)

#———————————————————————–

# 2155855 – Web Dispatcher – System specific logging, caching and file access

icm/HTTP/logging_0 = PREFIX=/, LOGFILE=$(DIR_INSTANCE)/log/httpaccess/dev_httpaccess.log.erp, LOGFORMAT=SAP, SWITCHTF=day, SYSTEM=ERP

icm/HTTP/logging_1 = PREFIX=/, LOGFILE=$(DIR_INSTANCE)/log/httpaccess/dev_httpaccess.log.hdb, LOGFORMAT=SAP, SWITCHTF=day, SYSTEM=HDB

icm/HTTP/logging_2 = PREFIX=/sap/admin/, LOGFILE=$(DIR_INSTANCE)/log/httpaccess/dev_httpaccess.log.adm, LOGFORMAT=SAP, SWITCHTF=day

#———————————————————————–

# URL Mod Handler

#———————————————————————–

icm/HTTP/mod_0 = PREFIX=/, FILE = $(DIR_PROFILE)/$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_http_mod

#———————————————————————–

# Permission Table

#———————————————————————–

wdisp/permission_table = $(DIR_PROFILE)/$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_permission_table

#———————————————————————–

# File Access (Global)

#———————————————————————–

icm/HTTP/file_access_0 = PREFIX=/robots.txt, DOCROOT=$(DIR_INSTANCE)/data/public/robots.txt

icm/HTTP/file_access_1 = PREFIX=/favicon.ico, DOCROOT=$(DIR_INSTANCE)/data/public/favicon.ico

#———————————————————————–

# Cache (Global)

#———————————————————————–

icm/HTTP/server_cache_0/http_cache_control = true

icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR = $(DIR_INSTANCE)/data/cache/0

icm/HTTP/server_cache_0/expiration = 86400

#———————————————————————–

# Start Web Dispatcher

#———————————————————————–

# 768727 – Automatic restart functions in sapstart for processes

Autostart = 1

SignalMask_00 = default, 9

logfile/rotate = true

_WD = wd.sap$(SAPSYSTEMNAME)_$(INSTANCE_NAME)

SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec

Execute_00 = local rm -f $(_WD)

Execute_01 = local ln -s -f $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) $(_WD)

Restart_Program_00 = local $(_WD) pf=$(_PF)

# _permission_table


# Deny public information

D /sap/public/icf_info/*

D /sap/public/info

D /sap/public/icf_check

# Allowed

S /sap/*

# Deny all others

D *

Some other good features to be aware of:

1971571 – Web Dispatcher new features: Proxy connect and cookie filter #/notes/1971571/E

2220456 – How to configure SAP Web Dispatcher for Reverse Invoke #/notes/2220456/E

2192839 – Using Web Dispatcher protocol ROUTER for TCP load balancing #/notes/2192839/E

Hope it’s of help

Craig

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply