on 02-01-2012 5:31 PM
Has anyone configured Web Dispatcher to route HTTPS traffic without terminating it via Modification Handlers? It does not work for me. I think the issue may be that the HTTPS traffic is encrypted, so the Web Dispatcher is not able to inspect it. Or, it could be that I have it set as a "ROUTER" and it does not inspect it. Any Advise?
We have a Five System Landscape; Two Parallel Development Landscapes (QA1 and QA2), and one Regression Test Landscape
(QR3). Development systems are not discussed as they have no partner connectivity (DA1 and DA2).
Goal: Install one Web Dispatcher for all QAS systems in order to provide a Load Balancer.
Supporting Documentation:
How to Scale Up Netweaver Process Integration
(http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c02f072f-3799-2c10-e0b8-d98d323c0908?QuickLink=index&overridelayout=true )
How to Fast-Switch Integration Scenarios between SAP PI Runtimes, Part II: Web Dispatcher
(http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/304039f4-d1e4-2d10-cb83-d90b3880258d?QuickLink=index&overridelayout=true )
SAP Netweaver CE 7.2: SAP Web Dispatcher for Multiple Systems
(http://help.sap.com/saphelp_nwce72/helpdata/en/b0/ebfa88e9164d26bdf1d21a7ef6fc25/frameset.htm )
Requirements: We want to have one external IP opened in our firewall. e.g. 192.168.1.10. We want to create three hostname aliases that resolve to the same exact external IP. e.g. slqqa1.acme.com, slqqa2.acme.com, slqqr3.acme.com all resolve to 192.168.1.10. Partners can then point to any of the three environments to conduct their test with the respective systems. One of three WSDLs from the QAS systems will be provided to the partners, indicating which system they should be connecting to.
1. We do not want to terminate the SSL at the dispatcher because we use the SSL Client Certificates for authenticating partner logins, so we want the SSL Client certificate to pass through the DISPATCHER to the backend PI system. To
Accomplish this, we modified the Web Dispatcher Profile as follows:
icm/server_port_1 = PROT=ROUTER,PORT=443,TIMEOUT=900,EXTBIND=1
2. We want to use Modification Handlers to route the inbound transactions based on HTTP_HOST
To our profile we add:
wdisp/system_0 = SID=QA1, MSHOST=slqqa1, MSPORT=8101
wdisp/system_1 = SID=QA2, MSHOST=slqqa2, MSPORT=8101
wdisp/system_2 = SID=QR3, MSHOST=slqqr3, MSPORT=8101
To $(DIR_GLOBAL)/security/data/icm_filter_rules.txt we add:
#QA1 requests
if % regimatch slqqa1* SetHeader x-sap-webdisp-target-sid QA1 [break] #QA2 requests if % regimatch slqqa2*
SetHeader x-sap-webdisp-target-sid QA2 [break]
#QR3 requests
if % regimatch slqqr3*
SetHeader x-sap-webdisp-target-sid QR3 [break]
Result: Configuration fails. Since the incoming web traffic is HTTPS, I think the SOAP HEADERS are encrypted, as a result the Web Dispatcher cannot determine the hostname in HTTP_HOST and cannot route the traffic as desired. I changed the above configuration to use port 8100 instead of 443, and changed ROUTER to HTTP, and the configuration
works.
Hi Michael,
This is some scenario you are trying to setup, but in theory it should be possible using SAP Web Dispatcher.
First of all - you are correct in the assumption that WD does not understand any of the additional HTTP header, when you are using End-to-End SSL. See Restrictions-section in this link.
But there seems to a way around this by using SSL termination including X.509-Based logon. See this link
How much work this is to setup I really have no idea about, but based on the fact that you've already come this far in the setup of WD I would think this would be easy for you.
Best regards,
Jacob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.