The SAP Web Dispatcher Web Administration interface is a useful tool to monitor and administrate the SAP Web Dispatcher by using a browser. But it takes additional configuration steps to enable it andthere are several options how users can authenticate themselves. But which option is the right one for me, you might ask yourself?
You can find further (general) details about the Web Administration interface in the Web Dispatcher documentation: => “Administration of the SAP Web Dispatcher” => “General Administration Tools of SAP Web Dispatcher” => “Using the Web Administration Interface”.
Authorization Files (AUTHFILE)
You can use the default (and probably most used) option, the authorization files. An authorization file contains a list of usernames and passwords.
If the Web Dispatcher has been installed using the Software Provisioning Manager, there will already be an authorization file with a user webadm and the master password you used during installation. Similar if you used the bootstrap option for setting up a Web Dispatcher without installation (then there will be a file with a user icmadm).
Additionally, you can configure the authentication via X.509 certificates by entering the distinguished name (DN) of the user’s X.509 certificate in the authorization file (in addition to or instead of the password.)
Advantages
- Available out-of-the-box because the installer and bootstrap option create an initial authorization file.
- Authentication possible via X.509 certificates.
Disadvantages
- Usernames and passwords must be maintained manually.
- Users cannot be locked centrally.
- It is not possible to configure a password policy.
- (Hashed) passwords are stored on the file system.
Configuration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin, DOCROOT=./admin, PORT=443, AUTHFILE=<authorization file>
You can find further information in the Web Dispatcher documentation on help.sap.com (=> “Administration of the SAP Web Dispatcher” => “General Administration Tools of SAP Web Dispatcher” => “Using the Web Administration Interface”)
Authentication via Operating System Users
You also have the option to use authentication via OS users that can access the host of the Web Dispatcher. The Web Dispatcher will then forward the received username and password to the operation system and lets it do the authentication.
This is especially helpful because administrators that have to configure the Web Dispatcher usually need operating system access nevertheless.
Advantages
- Authentication only possible via username/password.
- Passwords can be maintained centrally.
- Users can be locked centrally.
Disadvantages
- OS users that are allowed to access the Web Administration interface must be configured manually.
- Users that want to access the Web Administration interface need an OS user on the Web Dispatcher host (even for monitoring access only).
Configuration
You can configure users that are authenticated via the operating system in the authorization file, too. However, instead of entering a password, you enter {SYSTEM}.
If you want to configure an entire user group, you can do this via {SYSTEM_GROUP}.
You also have the option to combine users that are authenticated via the OS and usual users that are configured with passwords in one authorization file.
Examples:
# OS authentication for user my_user
my_user:{SYSTEM}:admin
# on Windows the domain is optional
domain\my_user:{SYSTEM}:admin
# authentication with a password stored in the authorization file
my_local_user:{SHA384}AwD:admin
# a group can be used, too
my_group:{SYSTEM_GROUP}:admin
If you need further information, take a look at SAP Note
2390858.
Availability
Available as of Web Dispatcher 749 PL 210.
{SYSTEM_GROUP} is available as of Web Dispatcher 753 PL 7. (While this was drafted, the release was not yet publicly available.)
Backend Authentication
Last but not least, you have the option to configure the Web Dispatcher to delegate the authentication to the (ABAP) backend system. If you configure this option, administrators authenticate themselves using their backend system user.
But of course, not all backend users will have access to the administration interface - users need the roles and authorizations to access transaction SMICM.
Advantages
- All authentication methods that are supported by the backend system are available.
- Users and password are maintained centrally.
Disadvantages
- If backend system is not available, Web Administration Interface will not be available to analyze the unavailability.
- Users that need to access the Web Administration Interface must have administration authorizations in the backend system.
- Only possible with ABAP backend systems.
- Additional configuration steps in the backend system required.
Configuration
If you want to enable this option, you have to do configuration steps both in the Web Dispatcher and backend system.
You can find a detailed description in SAP Note
2011786.
Availability
Available as of Web Dispatcher 745.
Summary
Now you may wonder which option will be the right one for you.
If the administration interface is rarely used and only by a small number of administrators, traditional authentication files are the best option, because it requires little effort to configure and enable them.
Otherwise, if your Web Dispatcher is serving a single (ABAP) backend system, backend authentication is probably the best option. The main disadvantage is that the administration UI will not be available to analyze issues if the backend system is not available. (As a workaround, you could configure an additional administration interface that uses one of the alternatives.)
If all the administrators who want to use the administration interface already have OS users on the Web Dispatcher host, authentication via OS users is the recommended option.
Otherwise, you should weigh up the advantages and disadvantages of the three available options.
