You are on page 1of 60

SAP Web

Di spat c her 6.40 f or


SAP Web AS J ava
Jochen Rundholz
NW RIG APA
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 2
RI G Know How Conf Cal l s
Please:
All participants will be muted
Questions in the Q&A section at the end
Important issues via WebEx chat
Mute your phone
Use the Mute button where available or
Key in *6* to mute and *6* to unmute in case you want to ask a question
Give feedback for further improvements
Introduction
Installation
Administration
Introduction Web Applications and Web Servers
Introduction Load Balancer
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 5
Requi r ement s of Busi ness Web Appl i c at i ons
Scalability and performance
Scale out via additional applicaton server Loadbalancer
necessary
Dynamic content leads to low fraction of cachable content
Transcational
Session persistance necessary
Security
Protection of application servers (DMZ, revers proxys, fire walls, ...)
Authentication
Encryption
Stability
High availibility is necessary
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 6
" Ol d" SAP Appl i c at i on Ser ver Ar c hi t ec t ur e
SAP
GUI
RFC
Client/
Server
Dispatcher
Gate-
way
RDBMS
Work
Processes
D
I
A
G
R
F
C
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 7
SAP Web Appl i c at i on Ser ver 6.40
RFC
Client/
Server
Browser
SAP
GUI
D
I
A
G
ICM
J2EE
Dispatcher
J2EE
Server
Processes
Dispatcher
Gate-
way
RDBMS
Work
Processes
R
F
C
H
T
T
P
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 8
Syst em Communi c at i on
ICM
MS
MPI
JCo
HTTP
SAP GUI
ABAP
Central Services
Enqueue-
Server
Enqueue-
Server
Message-
Server
Message-
Server
SDM
Server
Server
. . .
Java-Dispatcher
JAVA
WP
WP
. . .
ABAP-Dispatcher
Internet
Web Browser/
Web Server
Introduction Web Applications and Web Servers
Introduction Load Balancer
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 10
Load Bal anc i ng Desi gn Cr i t er i a
Load balancing mechanism (client or server side)
End-to-end SSL or SSL termination in load balancer.
In-depth vs. end-to-end security, need to inspect traffic
Persistence mechanism (session ID or IP address)
Client certificate authentication
Cost of device
Performance
Robustness and high availability
Ease of configuration and operation (TCO)
Integration into existing infrastructure and security policy
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 11
Fac t s and Feat ur es of SAP Web Di spat c her
Usability
Single point of access only one URL for user, only one official IP
address
Load balancing and configuration via message server
Scalability and performance
Software solution, not a hardware solution
Transactional
Session persistence via cookie (HTTP) or IP address (HTTPS)
Security
Protection of application servers (DMZ, reverse proxy, fire walls, ...)
Authentication
SSL Termination, end to end SSL, re-encryption
Simple request filtering
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 12
Har dw ar e Load Bal anc er vs. SAP Web Di spat c her
Pro
Additional features
Re-use existing infrastructure
Unified Web infrastructure for all Web systems (SAP and non-SAP)
Contra
Cost
Less integrated with SAP Web AS
Configuration, operation, maintenance requires special expertise
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 13
Load Bal anc i ng Mec hani sms (Redi r ec t i on & DNS)
Redirections
Simple
Bad user experience and maintenance
DNS based methods
Perhaps OK for intranet
OK for global load balancing
Generally not OK for server load balancing
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 14
Dr aw bac k s of Redi r ec t i on
Many official external DNS names and IP addresses
Confusing for the user, bookmarking destroys load balancing
With SSL
Server certificate must match URL
Every application server needs separate server certificate
High administrative overhead
Expensive
May lead to unnecessary user authentication dialogs
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 15
Load Bal anc i ng Mec hani sms (Ser ver Si de)
Load balancing device
Transparent for client
Always the same URL
One official IP address for all application servers
One server certificate for all servers
Technically challenging
Usually preferable
Load
Bal ancer
Appli cati on
Server
Appli cati on
Server
Appli cati on
Server
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 16
Web Di spat c her
SAP
Web
Dispatcher
Message
Server
Central
Instance
Di alog
Instance
Di alog
Instance
RDBMS
http://web.acme.com
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 17
Web Di spat c her For Mul t i pl e SAP Web AS
Multiple Web Dispatchers on different TCP ports
Not recommended
J2EE session cookies
overwrite each other.
SSL to port other than 443
often not possible
https://web
SAP Web
Dispatcher
Corporate
Network
SAP Web
AS
SAP Web
Dispatcher
Corporate
Network
SAP Web
AS
443
444
https://web:444
IP
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 18
Web Di spat c her For Mul t i pl e SAP Web AS
Multiple Web Dispatchers on different (virtual) IP addresses
Recommended
https://web1
SAP Web
Dispatcher
Corporate
Network
SAP Web
AS
SAP Web
Dispatcher
Corporate
Network
SAP Web
AS
443
443
IP1
IP2
https://web2
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 19
I nt egr at i on I nt o Web Ser ver / Rever se Pr ox y
SAP Web
AS
Web Server
Reverse Proxy
Module
F
i
r
e
w
a
l
l
Static Web
Pages
Internet
443
F
i
r
e
w
a
l
l
/sap*
other
Integrate SAP Web AS services into Web site
Optional Web
Dispatcher
for Scaling
Forward requests for
/sap* to SAP Web AS
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 20
Net w or k Sec ur i t y
Optional high security network with internal firewall
Internal Server
Network
High Security
Network
Secure Server
Network (DMZ)
Internet
Database
DB
DB
Application
Proxy
SAP Web
Application
Server
R/3, FI, HR
etc.
Web Servers Applications
Protected
Applications
F
i
r
e
w
a
l
l
F
i
r
e
w
a
l
l
F
i
r
e
w
a
l
l
F
i
r
e
w
a
l
l
Intern.
Firew.
Internal
Server
Network
Secure Serv.
Network
(DMZ)
Internet
DB
Application
Proxy
SAP Web
Application
Server
Web Servers Applications
F
i
r
e
w
a
l
l
Access
Router
&
Firewall
F
i
r
e
w
a
l
l
Firewall
Introduction
Installation
Administration
Sizing
Installation
High Availability
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 23
CPU Si zi ng
No measurements available yet
Main factor is the usage of SSL
No SSL at all
Termination of SSL
Termination and re-encryption of SSL
Termination of SSL is expensive
Re-encryption is not very expensive since only the handshake is
expensive and the handshake between server and SAP Web Dispatcher
has to be done only every couple of hours
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 24
Memor y si zi ng
Memory usage for internal tables
Server tables
Holding information about connected servers
Usually very small (90 kB default, few MB for very large system)
Connection tables
Holding information about the open connections
concurrent_conn = (users * req_per_dialog_step *conn_keepalive_sec)/
(thinktime_per_diastep_sec)
mpi/total_size_mb = (concurrent_conn * mpi_buffer_size)/(1024* 1024)
Default: mpi_buffer_size = 32kB
Default: mpi/total_size_mb = 500
End to End SSL table
1.8 MB for 10.000 entries
Sizing
Installation
High Availability
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 26
I nst al l at i ng t he SAP Web Di spat c her
Media for the web dispatcher is provided with the J2EE kernel:
C:\usr\sap\<SID>\<Central-Instance>\exe\sapwebdisp.exe
icmadmin.SAR
To install and setup the SAP Web Dispatcher:
1. Download kernel files from SAP service market place
2. Extract kernel using sapcar -xvf
3. Copy the sapwebdisp.exe and icmadmin.SAR files to a directory
on what is to be the Web Dispatcher host.
4. Use sapcar xvf to extract the icmadmin.SAR file into that
directory.
5. Execute sapwebdisp bootstrap to generate an initial profile for
the Web Dispatcher
6. Start the web dispatcher with sapwebdisp pf=sapwebdisp.pfl
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 27
Dow nl oad f r om ser vi c e.sap.c om/dow nl oad
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 28
Unpac k k er nel
These are only the minimum files sometimes additional files might be used/helpful
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 29
Unpac k i c madmi n.SAR & Fol der St r uc t ur e
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 30
Conf i gur i ng t he SAP Web Di spat c her
Necessary Input
Important Information
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 31
Basi c f i l es af t er i nst al l at i on
Developer Trace
Hashed Password of User
SAP Web Dispatcher executable
SAP Web Dispatcher profile
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 32
Addi t i onal I nf or mat i on
Some additional information regarding the installation
Version information via sapwebdisp -v
Trace file dev_webdisp in web dispatcher directory
MS platforms: msvcp71.dll and msvcr71.dll must exist (OSS 684106)
Start SAP Web Dispatcher via
sapwebdisp.exe pfl=<drive>:\<path>\sapwebdisp.pfl
OSS notes: 538405
Sizing
Installation
High Availability
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 34
Web Di spat c her Hi gh Avai l abi l i t y
High availability
cluster
SAP Web
Dispatcher
SAP Web
Dispatcher
Corporate
Network
SAP Web
AS
Fai l -
Over
Redundant
Network
Infrastructure
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 35
Hi gh Avai l abi l i t y of SAP Web Di spat c her - Basi c s
Some basic information
Fail over software has to be provided by hardware partner
No automatic restart possibility of web dispatcher process in case of
process crash on MS or iSeries platforms
Automatic restart possibility given on UNIX platforms via watchdog
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 36
Wat c hdog on UNI X
Setup on watchdog on UNIX
Start the SAP web dispatcher with the option auto_restart
The SAP web dispatcher will fork and creates a child process
Both processes have access to the same resources
The child process will take over the actual work, the parent process
provides the watchdog functionality
Introduction
Installation
Administration & Configuration
Basics
Load Balancing
Session Persistence
SSL Options
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 39
sapw ebdi sp.pf l
Typical Web Dispatcher Parameter File:
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 40
Basi c Pr of i l e par amet er s
These are the most basic profile parameters
SAPSYSTEM
Must be unique on the host and must be in the range between 0 98
Used to distinguish shared memory segments of different SAP Web
Dispatchers on the same host
rdisp/mshost
Hostname of the host where the message server is running (in case of double
stack installation the ABAP MS has to be used)
ms/http_port
Port of the message server
wdisp/auto_refresh
Time to refresh internal routing tables
icm/server_port_0
protocol and port where the dispatcher is listening for incoming requests
icm/http_admin_0
Configuration of admin access
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 41
Admi ni st r at i on Tool
dev_wdisp
sapwebdisp.pfl plus default values
sapwebdisp -v
Basics
Load Balancing
Session Persistence
SSL Options
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 43
Load Bal anc i ng Mec hani sm: Over vi ew
Load balancing device needs information about system state
Configuration
Manual
Retrieve from SAP Message Server (hosts, port numbers, ...)
Load balancing
Round-robin (weighted)
Load-based
Use information from SAP Message Server
High availability
Check individual Web AS instances
Use information from SAP Message Server
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 44
Load Bal anc i ng Ser ver Det er mi nat i on
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 45
Load Bal anc i ng: Capac i t y
Capacity value is provided by message server
Capacity of an instance is equal to the number of server
processes of that instance
Capacity value from message server can be overwritten by
configuration (OSS note 645130)
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 46
Load Bal anc i ng St r at egy
wdisp/load_balancing_strategy
weighted_round_robin (default): requests are distributed in turn to
the servers, depending on their relative capacity
Preferable for end to end SSL
simple_weighted_round_robin: requests are distributed in turn to
the servers, depending on their absolute capacity
Preferable for very large systems (amount of application servers)
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 47
Load Bal anc i ng: Over r ul i ng Message Ser ver
Set the parameter wdisp/server_info_location =
UNIX: file:///<Path>/info.icr
MS: file://C:\< Path>\info.icr
The file info.icr looks like
Version 1.0
J2EE3537200
J2EE host1 50000 LB=2
P4 host1 50004 LB=2
J2EE23799700
J2EE host2 50200 LB=1
P4 host2 50204 LB=1
The format is:
J2EE<Server node>
J2EE <hostname> <Port> LB=<capacity>
P4 <hostname> <Port> LB=<capacity>
LB values have to be identical
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 48
Moni t or i ng Load Bal anc i ng
These values change over time,
according to the load balancing
strategy
Basics
Load Balancing
Session Persistence
SSL Options
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 50
Load Bal anc i ng + St at ef ul User Sessi ons
Load
Balancer
Application
Server
Application
Server
Session
State
1
s
t

r
e
q
u
e
s
t
2
n
d

r
e
q
u
e
s
t
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 51
St at ef ul User Sessi ons
Complex applications are usually stateful
Hold database locks
Store intermediate SQL results etc.
Session state persistent between requests (" roll area" )
HTTP is a stateless protocol
Successive requests may open a new network connection
SAP Web AS uses session ID to recognize user session
Session cookie
Part of the request URL (" URL rewriting" )
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 52
Per si st enc e Mec hani sms
Session ID (Cookie or URL)
Detect actual application need for session persistence
Requires no state in load balancer, because SAP session ID contains
application server instance name
Requires access to clear text HTTP request (Termination of SSL in LB)
IP address of client
Works also with encrypted traffic
Problems with proxies not good for Internet
No way to detect stateless requests
Problems with alternative host names
Cookies inserted into the data stream by load balancer
Works " out-of-the-box"
Problems with some SAP applications
Requires access to clear text HTTP request
Basics
Load Balancing
Session Persistence
SSL Options
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 54
Sec ur e Soc k et Layer
Encryption is required for business applications
Protect user credentials (e.g. passwords)
Data security
Secure Socket Layer (SSL)
SSL encrypts entire communication between browser and server
Server authentication (mandatory)
Browser verifies, that server certificate matches URL
Client authentication with X.509 certificates (optional)
Server takes identity of user from browser certificate
End point of SSL session is either
Application Server (end-to-end security)
Web infrastructure component (in-depth security)
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 55
Web Di spat c her I n DMZ
Web Dispatcher is an application layer gateway, but does not have
full reverse proxy functionality.
Internet
F
i
r
e
w
a
l
l
SAP Web
Dispatcher
Corporate
Network
F
i
r
e
w
a
l
l
SAP Web
AS
Possibly
filter
requests
End-to-end SSL or
SSL Termination
Encrypted or
clear text traffic
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 56
Web Di spat c her End-t o-end SSL Mode
Pro
Client authentication with X.509 certificates
End-to-end data security
Load balancer is " untrusted" component
Contra
Persistence based on client IP address only
Load balancing problems
Proxies
End-of-session
But: IP address based persistence usually OK in intranet
No logon groups
No distinction between J2EE and ABAP applications
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 57
End-t o-End SSL Revi si t ed
All servers used by an
SAP Web Dispatcher
share the same certificate
Good: few certificates
host2
Load
Balancer
Application
Server
Application
Server
host2
external
host2
Load
Balancer
Application
Server
Application
Server
external
SAP System
host1
Load
Balancer
Application
Server
Application
Server
host1
SAP System
host1
Load
Balancer
Server
host1
host1 host1
internal
Application
Server
host1 host1
Application
host2
host2
host2
Bad, because:
Every load balancer must
use an exclusive set of
servers
Multiple load balancers
must use non-overlapping
groups of servers
Example: different URLs
for internal and external
users
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 58
Web Di spat c her SSL Ter mi nat i on Mode
Pro
Persistence based on application session ID
Logon groups
Detection of application type (ABAP / J2EE), select correct server
Request parsing and URL Filtering
SSL re-encryption is possible
Contra
Harder to configure
Web Dispatcher becomes " trusted component (secure channel to
WebAS needed)
Make sure Web Dispatcher does not become performance bottleneck
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 59
Please provide any feedback to improve our services!
jochen.rundholz@sap.com
Feedback
Thank You !
SAP AG 2004, SAP Web Dispatcher /J ochen Rundholz / 60
Quest i ons?
Q&A