You are on page 1of 4

10/30/2014 654982 ­ URL requirements due to Internet standards

https://websmp130.sap­ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui/main.do?param=69765F6D6F64653D3030332669765F7361706E6F7465735F6B65793D… 1/4
SAP Note
      654982 ­ URL requirements due to Internet standards  
Version   10     Validity:
08.12.2011 ­ active  
Language   English
Header Data
Released On 09.12.2011 15:10:23
Release Status Released for Customer
Component BC Basis Components
Other Components
BC­BSP Business Server Pages
BC­JAS Java Application Server ­ Please use sub­components
BC­MID­ICF Internet Communication Framework
BC­NET Network Infrastructure
BC­WD Web Dynpro
EP­PIN SAP NetWeaver Portal
Priority Recommendations / Additional Info
Category Installation information
Symptom
1. Cookies (particularly: MYSAPSSO2) are not set
(even though the server issues these and the browser accepts cookies. Filtering reverse proxies
have also been ruled out as the source of the error.).
2. https does not work.
The browser reports the following error or warning (or similar): "Certificate name is invalid and
is unsuitable for the server", or the ICM trace contains the following message, or similar:
MatchTargetName("<hostA.domain. tld>", "CN=<hostB.domain.tld>, OU=<...>, O=<...>, C=<...>")
Other Terms
Cookie, URL, URI, FQDN, SSL, X.509, Single Sign-On (SSO), icm/host_name_full
Reason and Prerequisites
These problems occur either because only the host name, but not the domain (=> FQDN, fully qualified
domain name), is specified in the URL, or because the domain that you use does not satisfy the
requirements of the cookie specification (for more information, see:
http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html).
Point 1:
To enable the browser to decide to which server a cookie may be sent, the URL must include the domain
specification since this information is used as a basis for the decision.
The cookie specification intensifies this requirement by determining that
domains with the extension "com", "edu", "net", "org", "gov", "mil" or "int" must include at least
one additional domain component (usually the name of the company or organization), while
10/30/2014 654982 ­ URL requirements due to Internet standards
https://websmp130.sap­ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui/main.do?param=69765F6D6F64653D3030332669765F7361706E6F7465735F6B65793D… 2/4
any domain with a different extension (including the national top-level domains in particular, for
example, "de", "uk", "fr", and so on) must consist of at least two additional domain parts.
For example:
http://www.sap.com/... - this is acceptable
http://www.sap.de/... - this is not acceptable
http://www.public.sap.de/... - this is acceptable
Comment:
Some browsers (for example, Microsoft Internet Explorer) are less strict and also permit domains that
violate the cookie specification rules listed above. To the best of our knowledge (for which we cannot be
held responsible), all domains whose penultimate domain components consists of at least three characters
seem to be generally accepted (because otherwise there would be problems, for example with all British
domains, due to insufficient restrictions on how cookies are sent):
http://www.sap.de - for MS IE: acceptable
http://www.xy.co.uk - acceptable (conforms to specifications)
http://www.xy.co.uk - acceptable (conforms to specifications)
http://www.co.uk - not acceptable (in accordance with the specifications)
Point 2:
Along with encrypted data transfer, the use of SSL (=> https) is designed to ensure that the specified
server (for example, an enterprise or an organization) is authentic. SSL server certificates are used for
this purpose. The browser checks each https URL to see whether the complete host name contained in the
URL corresponds to the relevant specification (=> Common Name, CN) of the checked SSL server certificate.
If the browser detects a variance, it triggers a warning (or an error).
For example:
The SSL server certificate was issued to "CN=tcs.mysap.com, OU=SAP Trust Community, O=SAP AG, L=Walldorf,
C=DE". Then the following URLs are considered:
http://tcs.mysap.com/... - no SSL/https
https://tcs.mysap.com/... - this is acceptable
https://tcs01.mysap.com/... - Warning/error
In the case of an SSL server certificate that was issued to "CN=mysap.com, and so on", all of the URLs
that are mentioned above return an error.
On the other hand, in the case of an SSL server certificate that was issued to "CN=*.mysap.com, ...", the
two https URLs would work without errors. However, a Certification Authority (CA) usually sets up its own
rules for the parts of the certificates that it issues (and therefore authenticates). The use of
wildcards (*) in the common name is not usually permitted.
Comment:
When you use SSL scheduling reverse proxies (before the Web server/SAP Web Application Server/SAP J2EE
server), you must make sure that the SSL server certificate of the reverse proxies corresponds to the
host name of the reverse proxies that is visible to the browser.
General information about SSL and the SAP Web Application Server is available at
http://service.sap.com/security > Security in Detail > Infrastructure Security: "Network and Transport
Layer Security" and http://service.sap.com/security > Security in Detail > Archive (Old Documents): "SAP
Web Application Server Security".
Solution
Use fully-specified host names (including the domain specification) in URLs and make sure that you only
use domains that conform to the rules defined in the cookie specification.
Validity
10/30/2014 654982 ­ URL requirements due to Internet standards
https://websmp130.sap­ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui/main.do?param=69765F6D6F64653D3030332669765F7361706E6F7465735F6B65793D… 3/4
This document is not restricted to a software component or software component version
References
This document refers to:
SAP Notes
1257108   Collective Note: Analyzing issues with Single Sign On (SSO)
1009930   (Display) problems in View Designer when loading view
945516   Web Dynpro ABAP in a portal environment
888362   Helpful technical hints for installing and maintaining MIC
830830   Inf. broadcasting: Typical problems with folder selection
817529   Checking the SSO configuration
805344   How URLs are generated automatically in BW
763427   Error message for domain name with underscore
701205   Single Sign­On using SAP Logon Tickets
677118   SP31­> Fully Qualified Domain Names Check
632440   Domain barrier in the browser of the SAP Enterprise Portal
612670   SSO for local BSP calls using SAP GUI HTML Control
611361   Hostnames of SAP servers
585042   Reduction of the data transfer Web middleware/browser
517860   Logging on to BSP applications
356691   Problem analysis: SAP logon ticket with Workplace SSO
This document is referenced by:
SAP Notes (17)
677118   SP31­> Fully Qualified Domain Names Check
1009930   (Display) problems in View Designer when loading view
632440   Domain barrier in the browser of the SAP Enterprise Portal
612670   SSO for local BSP calls using SAP GUI HTML Control
611361   Hostnames of SAP servers
517860   Logging on to BSP applications
585042   Reduction of the data transfer Web middleware/browser
830830   Inf. broadcasting: Typical problems with folder selection
1257108   Collective Note: Analyzing issues with Single Sign On (SSO)
888362   Helpful technical hints for installing and maintaining MIC
805344   How URLs are generated automatically in BW
356691   Problem analysis: SAP logon ticket with Workplace SSO
701205   Single Sign­On using SAP Logon Tickets
654326   Domain restrictions in a portal environment
817529   Checking the SSO configuration
945516   Web Dynpro ABAP in a portal environment
763427   Error message for domain name with underscore
10/30/2014 654982 ­ URL requirements due to Internet standards
https://websmp130.sap­ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui/main.do?param=69765F6D6F64653D3030332669765F7361706E6F7465735F6B65793D… 4/4
Attachments
File Name File Size (KB) Mime Type
Netscape_Cookie_Specification.pdf 19 application/pdf