cancel
Showing results for 
Search instead for 
Did you mean: 

SAP HANA URLs not working from SiteMinder

former_member188396
Participant
0 Kudos

Hello,

We have below scenario which is working fine right now.

We have HANA SP10 server and using one of the container. Web Dispatcher is configured on HANA for the multi container. (This WD has nothing to do with Fiori requirement of WD.)

Now, we have another Gateway server where we have Fiori components installed (for HANA, we have SAP smart business installed for the usage of KPIs.)

On the same gateway server, we have Web dispatcher installed and configured to work for HANA Fiori analytical apps.

Now, WD url works fine for Fiori launchpad and HANA KPIs. Everything is good!!

Now, we have SiteMinder in the landscape which allows our systems to be accessible from internet. So, to make HANA Fiori apps available from internet, we would like to utilize SiteMinder to work as Web Dispatcher (which was installed on the gateway server earlier and not the HANA WD). So, that we can replace additional WD with the SiteMinder which is already in place.

Our SiteMinder team has done configurations and written the redirection rules to forward the request to the HANA server for below extensions.

/sap/hana/*

/sap/hba/*

/<custom package>/*

Now, when we try to access the HANA Login page or one of the xsodata service running on the HANA server using SiteMinder URL, it gives 503 error.

Below is the error screenshot.

SiteMinder team has found below error in the log files. I was trying to search online but could not find the right solution for it. Our Basis folks also do not have an idea how to resolve it.

x-sap-icm-err-id: ICMENOSYSTEMFOUND


Can you please help if you know what could be the issue?

Thanks,

Bhavik

Accepted Solutions (1)

Accepted Solutions (1)

isaias_freitas
Advisor
Advisor
0 Kudos

Hello Bhavik,

If I understood the landscape correctly, it would be something like:

   User from the internet -> SiteMinder*  -> HANA WD**

   * 3rd party load balancer

   ** the WD that is installed / integrated with the HANA

You have also mentioned that the HANA is configured for "multi container". Is this the multi-tenant feature of the HANA?

If yes, maybe the SAP note 2224748 can help.

In case it does not help, do you see any errors at the HANA WD trace file (that would be located at the folder "/usr/sap/<HANA SID>/<HANA Instance>/<hostname>/webdispatcher_<hostname>.<number>_dev_webdisp")?

Please also attach the HANA WD profile (usually located at "/usr/sap/<HANA SID>/<HANA Instance>/<hostname>/tmp/temp_sapwebdisp_do_not_change.pfl").

Regards,

Isaías

former_member188396
Participant
0 Kudos

Hi Isaias,

Yes, that is correct from the landscape perspective. SiteMinder is working as reverse proxy as well as third party load balancer which exposes internal URLs to the internet accessible.

We have HANA is configured for Multi Container however, just utilizing one container at this point. It is a multi-tenant feature of the HANA.

I will share the SAP note with our HANA Basis folks to check and verify. I will update you with the results. Also, I will verify the HANA WD trace files and share the results.

Thanks,

Bhavik

former_member188396
Participant
0 Kudos

Hi Isaias,

Please find below the profile details. We are using MNN container.

This profile has been generated from webdispatcher.ini.

# Do not change this file! The Web Dispatcher has to be

configured in webdispatcher.ini!

# Use the HANA Studio to configure the Web Dispatcher!

wdisp/enable_admin_ui_for_sid=SYS

SAPSYSTEM=00

SAPSYSTEMNAME=MNN

DIR_INSTANCE=/usr/sap/MNN/HDB00/vmhst001

DIR_EXECUTABLE=/usr/sap/MNN/HDB00/exe

icm/HTTP/hdb_0=TRUE

wdisp/add_client_protocol_header=1

wdisp/HTTP/use_pool_for_new_conn=1

icm/max_sockets=($(icm/max_conn) * 2)

icm/req_queue_len=6000

icm/min_threads=10

icm/max_threads=500

mpi/total_size_MB=(min(0.06 * $(icm/max_conn) + 50, 2000))

mpi/max_pipes=($(icm/max_conn) *

2)

wdisp/HTTP/max_pooled_con=($(icm/max_conn))

wdisp/HTTPS/max_pooled_con=0

wdisp/add_xforwardedfor_header=true

icm/HTTPS/forward_ccert_as_header=true

icm/HTTP/max_request_size_KB=-1

wdisp/use_heap_for_mpis=true

wdisp/HTTP/esid_support=false

wdisp/HTTP/jsessionid_tab_support =false

ipc/sem_mon_off=true

icm/ccms_monitoring=false

is/hostbuffer_timeout_valid_entry=0

is/hostbuffer_timeout_invalid_entry=0

ssl/ssl_lib=/usr/sap/MNN/HDB00/exe/libsapcrypto.so

ccl/fips/enable=0

ssl/server_pse=SAPSSLS.pse

ssl/ciphersuites=142:HIGH:MEDIUM:!aNULL

ssl/client_ciphersuites=142:HIGH:MEDIUM:!aNULL

icm/security_log=LOGFILE=

$(DIR_INSTANCE)/trace/dev_icm_sec,MAXSIZEKB=500

icm/max_conn=2000

icm/server_port_0=PROT=HTTP,PORT=80$(SAPSYSTEM),PROCTIMEOUT=600

icm/server_port_1=PROT=HTTPS,PORT=43$(SAPSYSTEM),PROCTIMEOUT=600

icm/HTTP/admin_0=PREFIX=/sap/hana/xs/wdisp/admin,DOCROOT=$(DIR_INSTANCE)/wdisp/admin,AUTHFILE=backend

wdisp/filter_xs_internal_uri=false

wdisp/system_auto_configuration=true

wdisp/system_10=SID=SYS,

EXTSRV=localhost:30014, SRCVHOST=vmhst001.cokeonena.com

wdisp/system_11=SID=CCG, EXTSRV=localhost:30045,

SRCVHOST=vmhst001-ccg.cokeonena.com

wdisp/system_12=SID=MNN, EXTSRV=localhost:30008, SRCVHOST=vmhst001-

mnn.cokeonena.com

wdisp/system_13=SID=CCN, EXTSRV=localhost:30042, SRCVHOST=vmhst001-ccn.cokeonena.com

Thanks,

Bhavik

isaias_freitas
Advisor
Advisor
0 Kudos

Hello Bhavik,

How does the SiteMinder reach the HANA WD?

Does it use virtual hostnames configured at the HANA WD?

Or does it use a different port from the HANA WD, for each of the HANA tenants?

This WIKI page might help you.

Regards,

Isaías

former_member188396
Participant
0 Kudos

Hi Isaias,

From SiteMinder, we are using HANA direct URLs. URLs has virtual hostnames. Like,

xyz001.domain.com

xyz001-mnn.domain.com

xyz001-ccg.domain.com

I have heard from the basis folks that port number is common for all the HANA tenants. But, I will have to confirm again whether that is true as I am not involved in that technical configuration.

FYI...

We had the web dispatcher configured on the gateway server earlier and used the same HANA URLs to configure there. It is working with the external web dispatcher.
But, when we try with SiteMinder (to replace this web dispatcher), it is giving this 503 error.

-Bhavik

isaias_freitas
Advisor
Advisor
0 Kudos

Hello Bhavik,

You you had an external WD that was working on this landscape, but SiteMinder is not working with a similar configuration, then I can only suggest that you involve your SiteMinder support team, so they investigate what is happening / why SiteMinder is not sending the requests as expected (e.g., is it really using the virtual hostnames?).

I do not have knowledge on this SiteMinder load balancer.

Confirming the port numbers would also be a good idea. Maybe this is what is missing (at the SiteMinder settings about how it should reach the HANA).

Regards,

Isaías

former_member188396
Participant
0 Kudos

Hi,

Port is common on HANA web dispatcher and they determine based on the virtual host name for specific container.

Also, while talking to them, they said that they had to put this in the rules.txt file on the external WD from where it is working right now.

But, I do not understand that. Do you?

vlmhst001:/usr/sap/WDM/W03 # more rules.txt
if %{SID} = MNN
begin
SetHeader HOST vlmhst001-mnn.domain.com
End


Thanks,

Bhavik

isaias_freitas
Advisor
Advisor
0 Kudos

Hello Bhavik,

These rules are defining the virtual hostname to be used to access the HANA WD for each HANA container (through the HTTP header named "HOST").

It seems that we were at the right track already.

The SiteMinder has to do this as well (set the HTTP header "HOST" to the virtual hostname of the particular HANA container it is forwarding the request to).

In other words, if the SiteMinder received a request that is related to the HANA container MNN (using your last reply for the example), the SiteMinder has to set the HTTP header "HOST" with the value "vlmhst001-mnn.domain.com".

This is how the HANA WD will identify the correct HANA container to handle the request (through the HTTP header named "HOST").

Regards,

Isaías

former_member188396
Participant
0 Kudos

Does it mean, that is the only way to do it?

Or anything can be changed at HANA side so that we do not have to do this rules? (Asking to see if SiteMinder folks says that it would not be possible)

-Bhavik

isaias_freitas
Advisor
Advisor
0 Kudos

Hello Bhavik,

You could change the HANA WD settings as well.

Instead of using the hostname to identify the correct HANA container, the HANA WD could be configured to open multiple ports (one port for each HANA container, instead of one hostname to each HANA container).

Then, SiteMinder would have to be adjusted as well.

But instead of setting the HTTP header HOST, it would have to send the connection to the correct port.

Regards,

Isaías

Answers (0)