on 07-10-2012 3:22 PM
Hi,
We've implemented external facing portal with SAP Web Dispatcher as reverse proxy and it is working perfectly fine. This is our current setup.
Browser -> Hardware load balancer (CSS) -> SAP Web Dispatcher (this is in DMZ) -> SAP J2EE Engine (in intranet, uses ABAP UME) -> SAP ECC (in intranet).
Currently the authentication is happening in intranet. We want to perform the authentication in DMZ. To accomplish this, we are planning to synchronize the LDAP in the DMZ with the ABAP UME in intranet and use CA (Netegrity) SiteMinder for authentication. I read through several documents and posts on SDN and it appears that we've to use Apache or IIS as front-end webserver where we've to install the SiteMinder Web Agent and Session Linker. Knowing that SAP Web Dispatcher has limited capability (not a full fledged reverse proxy), is there a way to use SAP Web Dispatcher as front-end webserver?
Thanks
Ram
Hi Ram,
Do I understand correctly that you want to install the SiteMinder web agent on the SAP Web Dispatcher, instead of using Apache or IIS? I don't believe this is possible, the SAP Web Dispatcher isn't a webserver like apache or IIS... check the SiteMinder supported web servers where you can install the web agent... I doubt that SAP Web Dispatcher is one of them is it?
One other solution you might consider is to put an empty Java stack into the DMZ that is used only for authentication and connects to the DMZ LDAP. This Java stack would issue a valid SAP Logon ticket to the authenticated user and then forward them into the intranet zone where the existing portal can be configured to accept the ticket.
BRgds,
Simon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Simon.
I too thought SAP Web Dispatcher cannot handle this but wanted to hear from fellow SCN members. You are correct, SAP web dispatcher is not listed as supported web servers in SiteMinder documentation.
I like your idea of installing a dummy javastack in DMZ and pointing it to LDAP and generate a logon ticket. This will eliminate the need to use SiteMinder. However our company is heading towards using SiteMinder as we foresee requirements to integrate with non-SAP applications and also some external applications. Using SiteMinder will enable all types of SSO. Most likely we'll end up using Apache.
Originally we thought of using Apache for reverse proxy but went with SAP Web Dispatcher because SAP said they officially support only Web Dispatcher. If we end up going with Apache, is it better to use it as both front-end web server and reverse proxy? Or use it only as front-end web server and use SAP Web Dispatcher for reverse proxy and load balancing?
Thanks
Ram
Hi Ram,
I can't comment regarding the best configuration to use, all I can tell you is that I worked on site once where they used both Apache and SAP Web Dispatcher in the solution. They seemed to work well together.
Using SiteMinder makes lots of sense for enabling third party SSO too. I suppose another option esp. for third party sso is to use SAML.
Good luck!
Simon
but went with SAP Web Dispatcher because SAP said they officially support only Web Dispatcher
SAP Web Dispatcher is the preferred software solution for reverse proxy with load balancing, as WD understands the SAP load balancing protocol (message server). I doubt that you'll have no support when using Apache as the reverse proxy. Although with Apache you won't get into the benefit of the "smart" load balancing WD does.
You are right Tobias. WD can do better load balancing (interaction with message server, weighted round-robin and session stickiness with saplb cookie) compared to others. We'd another reason to not go with Apache as it required enabling mod_proxy module and our enterprise security team raised a concern about it.
Regarding support, this is what SAP told us.
"We cannot help with troubleshooting the proxy server as it is not from SAP."
Thanks
Ram
Tobias,
Our security team ran Qualys scans and found that there are some known vulnerabilities with mod_proxy (http://httpd.apache.org/security/vulnerabilities_22.html). We used to get sporadic proxy errors like 'Error reading from remote server", "204 No content" etc. and that is when we tried get some help from SAP. Anyway this was 6 months ago. We went with SAP WD and have no issues so far.
With the SiteMinder initiative now, we'll have to look into Apache as RP again. Do you have any suggestion/preference between below options?
Option 1:
Browser -> Hardware Load balancer ->Apache (Front-end web server, Reverse proxy, load balancer) -> SAP J2EE Engine -> SAP ECC
Option 2:
Browser -> Hardware Load balancer ->Apache (Front-end web server) -> SAP Web Dispatcher (Reverse proxy, load balancer) -> SAP J2EE Engine -> SAP ECC
Thanks
Ram
Ram,
well, not using a software because of known security issues that are fixed makes your corporate security team work interesting. You can still use the newest version of Apache: 2.4.2. SAP support won't solve issues regarding your proxy configuration, but your landscape is still supported. In that regard, I would choose option 2:
You get load balancing and reverse proxy with Web Dispatcher and when you suspect/encounter an error with Apache / Siteminder, you can still access SAP via Web Dispatcher. If the error occurs there too, you can add SAP support.
Hi,
Thanks for a great post. We were also wondering if web dispatcher could be used as the front end webserver – thanks for clearing this up.
We are considering using Siteminder web agent and session linker to provide SSO for a new abap webdynpro. It appears that an as-java system is required since the SiteMinder solution uses a java login module. Is it possible to use the Siteminder agent without an as-java system in the picture?
Thanks,
Rob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
moved from portal forum to SAP Netweaver Application Server
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.