cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WSSecurity - WebDispatcher(reverse proxy)

Go to solution
VCUNTHEE
Participant

on ‎07-22-2009 11:14 PM

0 Kudos

Hi All,

We are planning to implement webservices using PI 7.1 and would like to capitalise on the WSSecurity standard along with the Webdispatcher performing the reverse proxy functionality. Is there a standard procedure to do that? Where can we find more information in terms of the interoperability of WSSecurity with reverse proxy using SAP Netweaver. We do not want to use SSL. Is it a possiblity.

Thanks in advance.

Vedavyas

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

stefan_grube
Active Contributor
‎07-23-2009 9:35 AM
0 Kudos

WSSecurity and WebDispachter is not related.

The WebDispatcher simply redirects the incoming calls, the WSSecurity header is validated by the receiver, for example the PI system.

Web Dispatcher:

http://help.sap.com/saphelp_nwpi71/helpdata/en/46/d5491e2d2b65d0e10000000a155369/frameset.htm

WS Security:

http://help.sap.com/saphelp_nwpi71/helpdata/en/47/158e990cbb3696e10000000a11466f/frameset.htm

Show replies
Show replies
VCUNTHEE
Participant
‎07-23-2009 12:30 PM
0 Kudos

Hi Stefan,

Thanks for those links, that clearly explains what options we have to implement reverse Invoke and WSSecurity. We are challenged with validating the external WSS calls in the DMZ itself, as we see ,if we try to use WSSecuroty with WebDispatcher as reverse invoke, we may not be able to validate the who is coming in till the request hits, PI7.1 system. First we wanted to validate. When we were looking at the various cases, is it possible to have the X.509 certificate in WebDispatcher DMZ and validate and bring in the user, is that good idea or practice.

Externalcall http(WSSecure)> | Webdisp(DMZ,X.509) | http(WSSecure)> |PI7.1|

Thanks in advance.

Vedavyas

stefan_grube
Active Contributor
‎07-23-2009 12:35 PM
0 Kudos

Have you thought about putting a decentral adapter into the DMZ? Then you could do the validation there.

VCUNTHEE
Participant
‎07-23-2009 12:59 PM
0 Kudos

Hi Stefan,

Thanks again --> we were thinking about it, but for some reason we got diverted. Are there any draw backs in terms of maitenence for the Decentral adapter.

We have lot of pros to this, but can we use this as a reverse invoke.

Do people use SAP Router for WS Scenario.

Thanks,

Vedavyas

stefan_grube
Active Contributor
‎07-24-2009 9:48 AM
0 Kudos

As I know, the Web Dispatcher is not able to validate WS security. Maybe tools from other vendors can do this?

A non-central adapter engine could be set up like this:

||         DMZ 1    ||       DMZ 2      ||
---> Web Dispatcher --> Adapter Engine  --> PI 
||                  ||                  ||

So the adapter engine could do the validation of WS security, before it leaves the DMZ.

Maybe you put the question also in the Security forum

Regards

Stefan

VCUNTHEE
Participant
‎07-25-2009 3:50 AM
0 Kudos

Thanks Stefan!!

If we go with Decentral adapter in DMZ, we were planning to have one Webdispatcher in front of it. Will that be a viable option.

In that case

Web ---> | DMZ(Decentral) | -->PI

Thanks,

Vedavyas

stefan_grube
Active Contributor
‎07-28-2009 12:05 AM
0 Kudos

> If we go with Decentral adapter in DMZ, we were planning to have one Webdispatcher in front of it. Will that be a viable option.

Sure. The Web Dispatcher and decentral Adapter Engine can be in DMZ both.

Claus_Gosmer
Explorer
‎08-30-2011 1:41 PM
0 Kudos

Hi Stefan !

We're in a similar situation, where we're building our new 7.3 environment 8-). We are considering whether to just use a web dispatcher in the DMZ, acting as a reverse proxy towards our AAE's in our central PI environment, or whether to put a complete AAE in our DMZ.

In our current environment, we're exposing webservices in the DMZ using a decentral adapter engine, but we're wondering whether we could go with only having a webdispatcher in the DMZ. Is there a described best-practise for exposing PI functionality in a DMZ, or a list of design-criteria to consider ?

In the future we're also going to use the AS2-adapter from Seeburger, how should that affect our design-choise ?

BR.

Claus Gosmer

Answers (0)

Ask a Question