Skip to Content
Technical Articles
Author's profile photo Kai Bauer

How to monitor standalone (non-ABAP) Web Dispatcher Security in Solution Manager

Introduction

Web Dispatchers as a combination of software web switch, reverse proxy and gateway are in most cases the entry door between the Internet and backend systems. It is therefore important to have a sensible security configuration and to check it regularly.

In addition to my previous blog posts:

this article is intended to help overcome minor difficulties in the security monitoring of standalone (non-ABAP) Web Dispatchers in SAP Solution Manager and shows how to create a custom security monitoring report based on the SAP Security Baseline Template┬╣ Version 2.2.

 

Contents

This blog post is structured into the following parts:

  1. Web Dispatcher Security
  2. Security Monitoring in Solution Manager Configuration Validation
    1. Problem: It is not possible to validate the instance profile
    2. Workaround: Moving the security parameters to the Default Profile
    3. Exemplary security configuration in the Default Profile
    4. Building a Configuration Validation Target System
    5. Running the Target System against a dynamic Web Dispatcher Comparison List
    6. Result: Custom Web Dispatcher Security Report
  3. Addition: Presentation in a Security Dashboard

 

Web Dispatcher Security

According to the SAP Security Baseline Template, Web Dispatchers can be secured with the following parameters:

Parameter Recommended Value Description
is/HTTP/show_server_header FALSE Prohibits information disclosure by the Web Dispatcher Server Header.
is/HTTP/show_detailed_errors FALSE Prohibits information disclosure by Web Dispatcher Error Messages.
icm/SMTP/show_server_header FALSE Prohibits information disclosure by the Internet Communication Manager (ICM) Server Header.
icm/HTTP/auth_<x> PREFIX=/,PERMFILE=/<filepath>/permfile,FILTER=SAP

Enables URL Filtering through the Authorization Handler (ideally in the form of a URL Whitelist, so that everything else unknown will be blocked).

Web Dispatchers less than 7.31: Do an update urgently or use wdisp/permission_table instead.

icm/HTTP/admin_<x> 1.) Should contain CLIENTHOST=<IP Adresse(s) of Admin Clients, semicolon separated> Restricts administrative access to a defined admin client.
icm/HTTP/error_templ_path /usr/sap/<SID>/<Instance>/data/icmerror Redirects the disclosure of error information to an individual error page (this can be a blank one).
rdisp/TRACE_HIDE_SEC_DATA 1 Disables sensitive personal information such as security session cookies in HTTP request/response traces.
icm/trace_secured_data 0 Deactivates the display of HTTPS data packages in ICM traces.
icm/accept_forwarded_cert_via_http 0 Disables HTTPS certificate forwarding as HTTP header.
icm/trusted_reverse_proxy_<x> Should not contain wildcards (*) for SUBJECT or ISSUER Trusts only selected Reverse Proxys.
icm/server_port_<x> should contain PROT=HTTPS (instead of HTTP) Protects the Server Port using HTTPS.
wdisp/use_sap_vhost_for_dispatching FALSE Parameter has been removed in the current version of the template.

(Placeholders for System IDs, filepaths and ascending numbers are written as <Placeholder>.)

 

Security Monitoring in Solution Manager Configuration Validation

The compliance with these security parameters can be monitored using the SAP Solution Manager Configuration Validation application.

[A general introduction to Configuration Validation (what are comparison list, target system, configuration store & configuration items) can be found in the previous blog post How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder – Step: 3. Create a Configuration Validation Report]

 

Problem: It is not possible to validate the instance profile

 

For standalone Web Dispatchers (non-ABAP systems) the following Config Stores are available:

  • <SID>_<Instance>_<hostname> (Configuration of the Instance Profile)
  • DEFAULT.PFL (Configuration of the Default Profile)

By design, security parameters are configured in the Instance Profile. As you can see, this has a different name in each system (<SID>_<Instance>_<hostname>).

For an evaluation over several systems the Config Stores must have the same name (see Instance Profile Config Store “ABAP_INSTANCE_PAHI” in ABAP systems).

=> An evaluation across several Web Dispatcher systems is therefore only possible using the Default Profile.

This leads us to the following workaround:

 

Workaround: Moving the security parameters to the Default Profile

 

The following two security relevant parameters are located in the instance profile by default:

  • icm/server_port_<x>
  • icm/HTTP/admin_<x>

In the first step, these two must be moved to the Default-Profile

Problem: If the parameters are still used in the instance profile, the desired value of the default profile will be overwritten.

Recommendation: Write a reminder/reference to the relocated security configuration, such as:

#-----------------------------------------------------------------------
# SAP Web Dispatcher Security Configuration
#-----------------------------------------------------------------------
# For Monitoring with Solution Manager, the Security Configuration
# is located in the Default Profile (DEFAULT.pfl)
# Do NOT use the following Parameters in this Instance Profile:
# is/HTTP/show_server_header
# is/HTTP/show_detailed_error
# icm/SMTP/show_server_header
# icm/HTTP/auth_<x>
# icm/HTTP/admin_<x>
# icm/HTTP/error_templ_path
# rdisp/TRACE_HIDE_SEC_DATA
# icm/trace_secured_data
# icm/accept_forwarded_cert_via_http
# icm/trusted_reverse_proxy_<x>
# icm/server_port_<x>
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
# -> Default Profile (DEFAULT.pfl)
#-----------------------------------------------------------------------
# SAP Web Dispatcher Administration
#-----------------------------------------------------------------------
# -> Default Profile (DEFAULT.pfl)
#-----------------------------------------------------------------------

This ensures that there is no accidental double configuration. The rest of the security configuration can now be carried out in the Default Profile.

 

Exemplary security configuration in the Default Profile

 

An exemplary security configuration in the default profile could then look like this:

#-----------------------------------------------------------------------
# SAP Web Dispatcher Security Configuration
#-----------------------------------------------------------------------
# For Monitoring with Solution Manager, the Security Configuration
# is located in this Default Profile.
# Do NOT overwrite the following Parameters in the Instance Profile:
is/HTTP/show_server_header = FALSE
is/HTTP/show_detailed_errors = FALSE
icm/SMTP/show_server_header = FALSE
icm/HTTP/auth_0 = PREFIX=/,PERMFILE=/sapmnt/<SID>/profile/permfile,FILTER=SAP
icm/HTTP/error_templ_path = /usr/sap/<SID>/<Instance>/data/icmerror
rdisp/TRACE_HIDE_SEC_DATA = 1
icm/trace_secured_data = 0
icm/accept_forwarded_cert_via_http = 0
icm/trusted_reverse_proxy_0 = SUBJECT="",ISSUER=""
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTPS,PORT=<Port>
#-----------------------------------------------------------------------
# SAP Web Dispatcher Administration
#-----------------------------------------------------------------------
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),CLIENTHOST=<IP address>
#-----------------------------------------------------------------------#

 

Building a Configuration Validation Target System

 

Now a corresponding Target System can be used to monitor whether the exemplary Default Profile configuration exists on all Web Dispatcher systems.

Since the Config Store “DEFAULT.PFL” is of type “Text”, it is now time to work with regular expressions.

In my case, the following suggestion worked well:

Line Content Operator Operator Pattern
is/HTTP/show_server_header = FALSE = is/HTTP/show_server_header = FALSE
is/HTTP/show_detailed_errors = FALSE = is/HTTP/show_detailed_errors = FALSE
icm/SMTP/show_server_header = FALSE = icm/SMTP/show_server_header = FALSE
icm/HTTP/auth_0 Regex .*profile/permfile,FILTER=SAP
icm/HTTP/admin_0 Regex .*CLIENTHOST=.*
icm/HTTP/error_templ_path Regex .*/data/icmerror
rdisp/TRACE_HIDE_SEC_DATA = 1 = rdisp/TRACE_HIDE_SEC_DATA = 1
icm/trace_secured_data = 0 = icm/trace_secured_data = 0
icm/accept_forwarded_cert_via_http = 0 = icm/accept_forwarded_cert_via_http = 0
icm/trusted_reverse_proxy_0 Regex ^.*(ISSUER|SUBJECT)[^*]+$
icm/server_port_0 Regex .*icm/server_port_0 = PROT=HTTPS.*
icm/server_port_1 Regex .*icm/server_port_1 = PROT=HTTPS.*
icm/server_port_2 Regex .*icm/server_port_2 = PROT=HTTPS.*

 

Running the Target System against a dynamic Web Dispatcher Comparison List

 

This newly created Target System “WDPSEC” can be run against a dynamic Comparison List for Web Dispatcher systems:

For me, the following Operator Validation Report gave clear results: :

  • 0TPL_0SMD_VCA2_CITEMS_REF [Shows all configuration items (config stores and configuration items selectable]

 

Result: Custom Web Dispatcher Security Report

 

After making the following optional visual adjustments to the report:

Removed rows

(Context Menu – Remove Drilldown)

Added rows

(Navigation Block – Free Characteristics – Drilldown in the Rows)

Filtered rows

(Context Menu – Select Filter Value)

  • ConfigStore Name
  • Goto
  • Config Item
  • Cv. DataOperator
  • Compliance
    • Item not found
    • Yes

it results in the following Web Dispatcher Security Report:

(For illustrative purposes the parameters “is/HTTP/show_server_header” and “icm/trace_secured_data” were changed to non-compliant values)

 

This is an exemplary way how the security configuration for standalone Web Dispatcher systems can be monitored.

Further ideas, suggestions for improvement or additions are welcome in the comments.

 

Addition: Presentation in a Security Dashboard

Reports in Configuration Validation are very technical but in most cases sufficient.

If you need a clearer, fiori-based dashboard view, you can use this report as a basis for further configuration in Dashboard Builder.

How to do that is explained in: How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder – Step: 4. Display Configuration Validation Report results in the Dashboard

 

Sources and related content

┬╣ SAP Security Baseline Template Version 2.2 (2020-11): https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfolio.html#section_180229955

How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder: https://blogs.sap.com/2019/04/26/how-to-create-fiori-based-security-dashboards-in-solution-manager-dashboard-builder/

How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard-builder/

Assigned tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.