SAP Web Dispatcher 6.

40 for SAP Web AS Java

Jochen Rundholz
NW RIG APA

RIG Know How Conf Calls

Please:
All participants will be muted
Questions in the Q&A section at the end Important issues via WebEx chat

Mute your phone

Use the Mute button where available or Key in *6* to mute and *6* to unmute in case you want to ask a question

Give feedback for further improvements

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 2

Introduction Installation Administration

Introduction Web Applications and Web Servers Introduction Load Balancer

Requirements of Business Web Applications

Scalability and performance
Scale out via additional applicaton server necessary Loadbalancer

Dynamic content leads to low fraction of cachable content

Transcational
Session persistance necessary

Security
Protection of application servers (DMZ, revers proxys, fire walls, ...) Authentication Encryption

Stability
High availibility is necessary

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 5

"Old" SAP Application Server Architecture

SAP GUI RFC Client/ Server

DIAG

Dispatcher Gateway

Work Processes

RDBMS

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 6

RFC

SAP Web Application Server 6.40

Browser SAP GUI RFC Client/ Server

HTTP

DIAG

Dispatcher

Work Processes ICM RDBMS J2EE Server Processes J2EE Dispatcher

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 7

Gateway

RFC

System Communication
SAP GUI Web Browser/ Web Server
Internet

ICM

MS

Central Services MessageMessageEnqueueEnqueueServer Server Server Server

MPI

HTTP

ABAP-Dispatcher

Java-Dispatcher
SDM

WP ABAP

...

WP

Server
JCo

. . . Server

JAVA

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 8

Introduction Web Applications and Web Servers Introduction Load Balancer

Load Balancing Design Criteria

Load balancing mechanism (client or server side) End-to-end SSL or SSL termination in load balancer.
In-depth vs. end-to-end security, need to inspect traffic Persistence mechanism (session ID or IP address) Client certificate authentication

Cost of device Performance Robustness and high availability Ease of configuration and operation (TCO) Integration into existing infrastructure and security policy

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 10

Facts and Features of SAP Web Dispatcher

Usability
Single point of access address only one URL for user, only one official IP

Load balancing and configuration via message server

Scalability and performance

Software solution, not a hardware solution

Transactional
Session persistence via cookie (HTTP) or IP address (HTTPS)

Security
Protection of application servers (DMZ, reverse proxy, fire walls, ...) Authentication SSL Termination, end to end SSL, re-encryption Simple request filtering
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 11

Hardware Load Balancer vs. SAP Web Dispatcher

Pro
Additional features Re-use existing infrastructure Unified Web infrastructure for all Web systems (SAP and non-SAP)

Contra
Cost Less integrated with SAP Web AS Configuration, operation, maintenance requires special expertise

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 12

Load Balancing Mechanisms (Redirection & DNS)

Redirections
Simple Bad user experience and maintenance

DNS based methods

Perhaps OK for intranet OK for global load balancing Generally not OK for server load balancing

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 13

Drawbacks of Redirection
Many official external DNS names and IP addresses Confusing for the user, bookmarking destroys load balancing With SSL
Server certificate must match URL Every application server needs separate server certificate High administrative overhead Expensive

May lead to unnecessary user authentication dialogs

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 14

Load Balancing Mechanisms (Server Side)

Load balancing device
Transparent for client Always the same URL One official IP address for all application servers One server certificate for all servers Technically challenging Usually preferable
Load Balancer

Application Server

Application Server

Application Server

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 15

Web Dispatcher

Message Server Central Instance RDBMS

SAP Web Dispatcher http://web.acme.com

Dialog Instance

Dialog Instance

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 16

Web Dispatcher For Multiple SAP Web AS

Multiple Web Dispatchers on different TCP ports

443

SAP Web Dispatcher

Corporate Network SAP Web AS

https://web https://web:444

IP

444

SAP Web Dispatcher

Not recommended
J2EE session cookies overwrite each other. SSL to port other than 443 often not possible
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 17

Corporate Network SAP Web AS

Web Dispatcher For Multiple SAP Web AS

Multiple Web Dispatchers on different (virtual) IP addresses

IP1 443

SAP Web Dispatcher

Corporate Network SAP Web AS

https://web1 https://web2

IP2 443

SAP Web Dispatcher

Corporate Network SAP Web AS

Recommended
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 18

Integration Into Web Server / Reverse Proxy

Integrate SAP Web AS services into Web site

Web Server
Internet

other 443
Firewall

Static Web Pages

Firewall

/sap*

Reverse Proxy Module

SAP Web AS

Forward requests for /sap* to SAP Web AS

Optional Web Dispatcher for Scaling

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 19

Network Security
Optional high security network with internal firewall

Secure Server Secure Serv. Network (DMZ) Network (DMZ) Web Servers Web Servers

Internal Server Internal Network Server

High Security Network Protected Applications

Network
Applications Applications

Firewall l Firewal

Firewall Firewall

Firewall l Firewal

Internet Internet

DB

Database

Access Firewall Router Application Application & Proxy Proxy Firewall

Application Application Server Server

Intern. SAP Web SAP Web Firew.

DB

DB

R/3, FI, HR etc.

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 20

Introduction Installation Administration

Sizing Installation High Availability

CPU Sizing
No measurements available yet Main factor is the usage of SSL
No SSL at all Termination of SSL Termination and re-encryption of SSL

Termination of SSL is expensive Re-encryption is not very expensive since only the handshake is expensive and the handshake between server and SAP Web Dispatcher has to be done only every couple of hours

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 23

Memory sizing
Memory usage for internal tables
Server tables
Holding information about connected servers Usually very small (90 kB default, few MB for very large system)

Connection tables
Holding information about the open connections concurrent_conn = (users * req_per_dialog_step *conn_keepalive_sec)/ (thinktime_per_diastep_sec) mpi/total_size_mb = (concurrent_conn * mpi_buffer_size)/(1024* 1024)
Default: mpi_buffer_size = 32kB Default: mpi/total_size_mb = 500

End to End SSL table

1.8 MB for 10.000 entries

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 24

Sizing Installation High Availability

Installating the SAP Web Dispatcher

Media for the web dispatcher is provided with the J2EE kernel:
C:\usr\sap\<SID>\<Central-Instance>\exe\sapwebdisp.exe icmadmin.SAR

To install and setup the SAP Web Dispatcher: 1. Download kernel files from SAP service market place 2. Extract kernel using sapcar -xvf 3. Copy the sapwebdisp.exe and icmadmin.SAR files to a directory on what is to be the Web Dispatcher host. 4. Use sapcar xvf to extract the icmadmin.SAR file into that directory. 5. Execute sapwebdisp bootstrap to generate an initial profile for the Web Dispatcher 6. Start the web dispatcher with sapwebdisp pf=sapwebdisp.pfl
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 26

Download from service.sap.com/download

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 27

Unpack kernel

These are only the minimum files sometimes additional files might be used/helpful
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 28

Unpack icmadmin.SAR & Folder Structure

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 29

Configuring the SAP Web Dispatcher

Necessary Input

Important Information

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 30

Basic files after installation

Developer Trace Hashed Password of User SAP Web Dispatcher executable SAP Web Dispatcher profile

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 31

Additional Information
Some additional information regarding the installation
Version information via sapwebdisp -v Trace file dev_webdisp in web dispatcher directory MS platforms: msvcp71.dll and msvcr71.dll must exist (OSS 684106) Start SAP Web Dispatcher via sapwebdisp.exe pfl=<drive>:\<path>\sapwebdisp.pfl OSS notes: 538405

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 32

Sizing Installation High Availability

Web Dispatcher High Availability

Redundant Network Infrastructure

SAP Web Dispatcher FailOver

Corporate Network SAP Web AS

SAP Web Dispatcher

High availability cluster

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 34

High Availability of SAP Web Dispatcher - Basics

Some basic information
Fail over software has to be provided by hardware partner No automatic restart possibility of web dispatcher process in case of process crash on MS or iSeries platforms Automatic restart possibility given on UNIX platforms via watchdog

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 35

Watchdog on UNIX
Setup on watchdog on UNIX
Start the SAP web dispatcher with the option auto_restart The SAP web dispatcher will fork and creates a child process Both processes have access to the same resources The child process will take over the actual work, the parent process provides the watchdog functionality

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 36

Introduction Installation Administration & Configuration

Basics Load Balancing Session Persistence SSL Options

sapwebdisp.pfl
Typical Web Dispatcher Parameter File:

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 39

Basic Profile parameters

These are the most basic profile parameters
SAPSYSTEM
Must be unique on the host and must be in the range between 0 98 Used to distinguish shared memory segments of different SAP Web Dispatchers on the same host

rdisp/mshost
Hostname of the host where the message server is running (in case of double stack installation the ABAP MS has to be used)

ms/http_port
Port of the message server

wdisp/auto_refresh
Time to refresh internal routing tables

icm/server_port_0
protocol and port where the dispatcher is listening for incoming requests

icm/http_admin_0
Configuration of admin access

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 40

Administration Tool

dev_wdisp sapwebdisp.pfl plus default values sapwebdisp -v

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 41

Basics Load Balancing Session Persistence SSL Options

Load Balancing Mechanism: Overview

Load balancing device needs information about system state Configuration
Manual Retrieve from SAP Message Server (hosts, port numbers, ...)

Load balancing
Round-robin (weighted) Load-based Use information from SAP Message Server

High availability
Check individual Web AS instances Use information from SAP Message Server

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 43

Load Balancing Server Determination

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 44

Load Balancing: Capacity

Capacity value is provided by message server Capacity of an instance is equal to the number of server processes of that instance Capacity value from message server can be overwritten by configuration (OSS note 645130)

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 45

Load Balancing Strategy

wdisp/load_balancing_strategy
weighted_round_robin (default): requests are distributed in turn to the servers, depending on their relative capacity
Preferable for end to end SSL

simple_weighted_round_robin: requests are distributed in turn to the servers, depending on their absolute capacity
Preferable for very large systems (amount of application servers)

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 46

Load Balancing: Overruling Message Server

Set the parameter wdisp/server_info_location =
UNIX: file:///<Path>/info.icr MS: file://C:\< Path>\info.icr

The file info.icr looks like Version 1.0 J2EE3537200 J2EE host1 50000 LB=2 P4 host1 50004 LB=2 J2EE23799700 J2EE host2 P4 host2
The format is:
J2EE<Server node> J2EE <hostname> <Port> LB=<capacity> P4 <hostname> <Port> LB=<capacity>

LB values have to be identical

50200 LB=1 50204 LB=1

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 47

Monitoring Load Balancing

These values change over time, according to the load balancing strategy

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 48

Basics Load Balancing Session Persistence SSL Options

Load Balancing + Stateful User Sessions

Session State
u req est

Application Server

Load Balancer

1st

2n d

req

u es

Application Server

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 50

Stateful User Sessions

Complex applications are usually stateful
Hold database locks Store intermediate SQL results etc. Session state persistent between requests ("roll area")

HTTP is a stateless protocol

Successive requests may open a new network connection

SAP Web AS uses session ID to recognize user session

Session cookie Part of the request URL ("URL rewriting")

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 51

Persistence Mechanisms
Session ID (Cookie or URL)
Detect actual application need for session persistence Requires no state in load balancer, because SAP session ID contains application server instance name Requires access to clear text HTTP request (Termination of SSL in LB)

IP address of client
Works also with encrypted traffic Problems with proxies not good for Internet No way to detect stateless requests Problems with alternative host names

Cookies inserted into the data stream by load balancer

Works "out-of-the-box" Problems with some SAP applications Requires access to clear text HTTP request
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 52

Basics Load Balancing Session Persistence SSL Options

Secure Socket Layer

Encryption is required for business applications
Protect user credentials (e.g. passwords) Data security

Secure Socket Layer (SSL) SSL encrypts entire communication between browser and server Server authentication (mandatory)
Browser verifies, that server certificate matches URL

Client authentication with X.509 certificates (optional)

Server takes identity of user from browser certificate

End point of SSL session is either

Application Server (end-to-end security) Web infrastructure component (in-depth security)
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 54

Web Dispatcher In DMZ

Web Dispatcher is an application layer gateway, but does not have full reverse proxy functionality.

Internet
Firewall

SAP Web Dispatcher

Firewall

Corporate Network SAP Web AS

Possibly filter requests End-to-end SSL or SSL Termination

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 55

Encrypted or clear text traffic

Web Dispatcher End-to-end SSL Mode

Pro
Client authentication with X.509 certificates End-to-end data security Load balancer is "untrusted" component

Contra
Persistence based on client IP address only Load balancing problems Proxies End-of-session But: IP address based persistence usually OK in intranet No logon groups No distinction between J2EE and ABAP applications

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 56

End-to-End SSL Revisited

All servers used by an SAP Web Dispatcher share the same certificate
Good: few certificates Bad, because:
internal
host1 host1
host1 host1

SAP System

SAP System

host1 host1 host1 host1 Application Application Server Server

Every load balancer must use an exclusive set of servers Multiple load balancers must use non-overlapping groups of servers
Example: different URLs for internal and external users
external external

Load Load Balancer Balancer

Application Server Server

Application

host2 host2
Load Load Balancer

host2 host2

Balancer

Application Application Server Server

host2 host2

Application Application Server Server

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 57

Web Dispatcher SSL Termination Mode

Pro
Persistence based on application session ID Logon groups Detection of application type (ABAP / J2EE), select correct server Request parsing and URL Filtering SSL re-encryption is possible

Contra
Harder to configure Web Dispatcher becomes "trusted component (secure channel to WebAS needed) Make sure Web Dispatcher does not become performance bottleneck

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 58

Feedback
Please provide any feedback to improve our services! jochen.rundholz@sap.com

Thank You !

SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 59

Questions?

Q&A
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 60