Skip to Content

Update 24/07/2017 : when using the web dispatcher configuration below, where all applications are behind the same origin, the kernel of front- and backend server need to be the same.  See  SAP Note 2477189 – SAP NetWeaver Gateway, ICM, Web Dispatcher, S/4HANA and Kernel compatibility info 

We are working on an update of the web dispatcher config where classic UI and web dynpro apps are behind a different origin, where this restriction would not apply.

SAP Fiori applications are HTML5 applications based on the SAPUI5 java script library.  They are made of a combination of resources like java script, html, xml, css and image files.  At runtime they are downloaded first and after running locally in the client (end-users browser).

SAP Fiori applications retrieve or send updates to application data using OData calls provided by a SAP Gateway (aka frontend) server.  OData is an open standard based on existing standards like HTTP, REST, XML, JSON and more.  This frontend server provides data from SAP backends (this can be a S/4H, ERP, CRM or other system) via the OData format.  However some Fiori apps also need Analytic or Enterprise Search data provided directly by the backend.  Other apps launched from the Fiori Launchpad will need direct webdypro, web gui content be provided by the backend directly. See figure below:

A reverse proxy, like the SAP Web Dispatcher, needs to be placed in front of the front-end server and backend-server to route calls to the right server.  Such reverse proxy is needed because of its capabilities like URL redirection and rewriting and adding certificate authentication.  This reverse proxy can be hardware or a software application like the SAP Web Dispatcher.

If no reverse proxy some SAP Fiori apps like UI5 analytic apps will not work and no load balancing will be done in case multiple application servers are used.

In the next table a list of the routing mapping configuration needed in the reverse proxy for web traffic between a SAP Frontend and S/4H backend systems.

URL Path Routing Description
/sap/bc/ui5_ui5/ Frontend SAPUI5 Application Handler
/sap/bc/ui2/ Frontend UI Extension
/sap/bc/lrep Frontend LREP HTTP handler
/sap/opu/odata Frontend OData Standard Mode
/sap/bc/nwbc/ Frontend NetWeaver Business Client
/sap/public/ Frontend PUBLIC SERVICES
/sap/bc/bsp Frontend BUSINESS SERVER PAGES (BSP) RUNTIME
/sap/saml2 Frontend SAML
/sap/bc/webdynpro/ Backend Web Dynpro (WD) Runtime
/sap/es/ Backend Enterprise Search
/sap/bc/gui/ Backend ITS-Based GUI Services
/sap/bc/apc Backend ABAP Push Channel Framework
/sap/bw/ina Backend BW InA
/sap/bw/Mime/DS/Content Backend MIME IN WEB REPORTING

 

The above routing mapping would translate to the following Web Dispatcher configuration file

wdisp/system_0 = SID=XXX, MSHOST=FRONTEND-FQDN, MSPORT=XXXX, SSL_ENCRYPT=1, SRCSRV=*:44310, SRCURL=/sap/bc/ui5_ui5/;/sap/bc/ui2/;/sap/bc/lrep;/sap/opu/odata;/sap/bc/nwbc/;/sap/public/;/sap/bc/bsp;/sap/saml2

wdisp/system_1 = SID=XXX, MSHOST=S4HBACKEND-FQDN, MSPORT=XXXX, SSL_ENCRYPT=1, SRCSRV=*:44310, SRCURL=/sap/bc/webdynpro/;/sap/es/;/sap/bc/gui/;/sap/bc/apc;/sap/bw/ina;/sap/bw/Mime/DS/Content

This configuration is based on the Web Dispatcher configuration mentioned here, with some changes.  https://blogs.sap.com/2016/10/12/sap-fiori-s4hana-10-lessons-learned-s4hana-1511-projects/

This configuration should be complete for most customers but there might still be specific cases not covered.  Also a customer might, because of security reasons want to limit the urls redirected.  Therefore the configuration is to be discussed and implemented together with the network and security experts from the customer.

The recommended deployment option for SAP Gateway is to use a separate server (aka central hub deployment), see http://go.sap.com/documents/2016/06/e8e53e50-767c-0010-82c7-eda71af511fa.html#  .  However it is also possible to deploy the SAP Gateway on the backend system (aka embedded deployment) In this case a reverse proxy is technically not needed but preferred for security reasons.

Note that earlier releases like SAP Suite on Hana, SFIN 1.0 and SFIN 2.0 need a different configuration.  In this case some urls need to be redirected directly to the SAP Hana Database. This is not the case anymore in S/4H.  http://help.sap.com/saphelp_hba/helpdata/en/5e/9d0c52bcc19b33e10000000a44538d/content.htm?frameset=/en/42/de5f52eddd6f2de10000000a44176d/frameset.htm

Some further related information:

The S/4HANA Fiori Foundation Configuration (MAA) also describes the Web Dispatcher installation and more.  https://blogs.sap.com/2016/11/11/fiori-for-s4hana-getting-started-with-documentation/

Fiori frontend architecture when working with multiple clients in the backend.  https://blogs.sap.com/2016/10/11/configure-fiori-multi-clients/

Hope this information provides some insight and can help in your next S/4HANA implementation project!

Best regards,

Hannes Defloo

S/4HANA RIG team

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Mark Goovaerts

    Hi Hannes,

    Very nice overview ! Simple explanation and well documented.

    I actually have one extra question. In the scheme I only see HTTPS between the SAP Webdispatcher (or another reverse proxy). I suppose this is not an obligation and you can also setup this traffic with HTTP ?

    Kind regards,

    Mark

    (0) 
    1. Hannes Defloo Post author

      Thanks for your comment Mark!

      HTTPS is no technical obligation but ofcourse highly recommended, otherwise all traffic including usernames and passwords, is just sent over the network in clear text!

      Hannes

       

      (1) 
  2. Chiwo Lee

    Hello Hannes,

    Thanks for the article. Based on your writing, I found that the URL /sap/bc/bsp is actually missing from the MAA_NWG20_BB_ConfigGuide_EN_XX Fiori Foundation configuration guide.

    I truly like your mapping table and the explanations inside !

    Regards,

    Chiwo

     

    (0) 
  3. Tom Tearpock-Sym

    Adding wdisp backend entry seems to allow direct URL from webdispatcher to backend (for more than just “search”).  What is mechanism that forces call to backend (e.g. /sap/bc/gui) to use frontend authentication and not just end up depending on backend authentication?

    (0) 

Leave a Reply