Professional Documents
Culture Documents
SAP Web Dispatcher 6 40 Webinar Power Point
SAP Web Dispatcher 6 40 Webinar Power Point
Jochen Rundholz
NW RIG APA
Transcational
Session persistance necessary
Security
Protection of application servers (DMZ, revers proxys, fire walls, ...) Authentication Encryption
Stability
High availibility is necessary
DIAG
Dispatcher Gateway
Work Processes
RDBMS
RFC
HTTP
DIAG
Dispatcher
Gateway
RFC
System Communication
SAP GUI Web Browser/ Web Server
Internet
ICM
MS
MPI
HTTP
ABAP-Dispatcher
Java-Dispatcher
SDM
WP ABAP
...
WP
Server
JCo
. . . Server
JAVA
Cost of device Performance Robustness and high availability Ease of configuration and operation (TCO) Integration into existing infrastructure and security policy
Transactional
Session persistence via cookie (HTTP) or IP address (HTTPS)
Security
Protection of application servers (DMZ, reverse proxy, fire walls, ...) Authentication SSL Termination, end to end SSL, re-encryption Simple request filtering
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 11
Contra
Cost Less integrated with SAP Web AS Configuration, operation, maintenance requires special expertise
Drawbacks of Redirection
Many official external DNS names and IP addresses Confusing for the user, bookmarking destroys load balancing With SSL
Server certificate must match URL Every application server needs separate server certificate High administrative overhead Expensive
Application Server
Application Server
Application Server
Web Dispatcher
Dialog Instance
Dialog Instance
443
https://web https://web:444
IP
444
Not recommended
J2EE session cookies overwrite each other. SSL to port other than 443 often not possible
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 17
IP1 443
https://web1 https://web2
IP2 443
Recommended
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 18
Web Server
Internet
other 443
Firewall
/sap*
SAP Web AS
Network Security
Optional high security network with internal firewall
Secure Serv. SecureServer Network (DMZ) Network (DMZ) Web Servers Web Servers
Network
Applications Applications
Firewall Firewall
Firewall Firewall
Firewall Firewall
Internet Internet
DB
Database
DB
DB
CPU Sizing
No measurements available yet Main factor is the usage of SSL
No SSL at all Termination of SSL Termination and re-encryption of SSL
Termination of SSL is expensive Re-encryption is not very expensive since only the handshake is expensive and the handshake between server and SAP Web Dispatcher has to be done only every couple of hours
Memory sizing
Memory usage for internal tables
Server tables
Holding information about connected servers Usually very small (90 kB default, few MB for very large system)
Connection tables
Holding information about the open connections concurrent_conn = (users * req_per_dialog_step *conn_keepalive_sec)/ (thinktime_per_diastep_sec) mpi/total_size_mb = (concurrent_conn * mpi_buffer_size)/(1024* 1024)
Default: mpi_buffer_size = 32kB Default: mpi/total_size_mb = 500
To install and setup the SAP Web Dispatcher: 1. Download kernel files from SAP service market place 2. Extract kernel using sapcar -xvf 3. Copy the sapwebdisp.exe and icmadmin.SAR files to a directory on what is to be the Web Dispatcher host. 4. Use sapcar xvf to extract the icmadmin.SAR file into that directory. 5. Execute sapwebdisp bootstrap to generate an initial profile for the Web Dispatcher 6. Start the web dispatcher with sapwebdisp pf=sapwebdisp.pfl
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 26
Unpack kernel
These are only the minimum files sometimes additional files might be used/helpful
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 28
Necessary Input
Important Information
Developer Trace Hashed Password of User SAP Web Dispatcher executable SAP Web Dispatcher profile
Additional Information
Some additional information regarding the installation
Version information via sapwebdisp -v Trace file dev_webdisp in web dispatcher directory MS platforms: msvcp71.dll and msvcr71.dll must exist (OSS 684106) Start SAP Web Dispatcher via sapwebdisp.exe pfl=<drive>:\<path>\sapwebdisp.pfl OSS notes: 538405
Watchdog on UNIX
Setup on watchdog on UNIX
Start the SAP web dispatcher with the option auto_restart The SAP web dispatcher will fork and creates a child process Both processes have access to the same resources The child process will take over the actual work, the parent process provides the watchdog functionality
sapwebdisp.pfl
Typical Web Dispatcher Parameter File:
rdisp/mshost
Hostname of the host where the message server is running (in case of double stack installation the ABAP MS has to be used)
ms/http_port
Port of the message server
wdisp/auto_refresh
Time to refresh internal routing tables
icm/server_port_0
protocol and port where the dispatcher is listening for incoming requests
icm/http_admin_0
Configuration of admin access
Administration Tool
Load balancing
Round-robin (weighted) Load-based Use information from SAP Message Server
High availability
Check individual Web AS instances Use information from SAP Message Server
Capacity value is provided by message server Capacity of an instance is equal to the number of server processes of that instance Capacity value from message server can be overwritten by configuration (OSS note 645130)
simple_weighted_round_robin: requests are distributed in turn to the servers, depending on their absolute capacity
Preferable for very large systems (amount of application servers)
The file info.icr looks like Version 1.0 J2EE3537200 J2EE host1 50000 LB=2 P4 host1 50004 LB=2 J2EE23799700 J2EE host2 P4 host2
The format is:
J2EE<Server node> J2EE <hostname> <Port> LB=<capacity> P4 <hostname> <Port> LB=<capacity>
These values change over time, according to the load balancing strategy
Session State
u req est
Application Server
Load Balancer
1st
2n d
req
u es
Application Server
Persistence Mechanisms
Session ID (Cookie or URL)
Detect actual application need for session persistence Requires no state in load balancer, because SAP session ID contains application server instance name Requires access to clear text HTTP request (Termination of SSL in LB)
IP address of client
Works also with encrypted traffic Problems with proxies not good for Internet No way to detect stateless requests Problems with alternative host names
Secure Socket Layer (SSL) SSL encrypts entire communication between browser and server Server authentication (mandatory)
Browser verifies, that server certificate matches URL
Internet
Firewall
Firewall
Contra
Persistence based on client IP address only Load balancing problems Proxies End-of-session But: IP address based persistence usually OK in intranet No logon groups No distinction between J2EE and ABAP applications
SAP System
SAP System
Every load balancer must use an exclusive set of servers Multiple load balancers must use non-overlapping groups of servers
Example: different URLs for internal and external users
external external
Application
host2 host2
Load Load Balancer
host2 host2
Balancer
Contra
Harder to configure Web Dispatcher becomes "trusted component (secure channel to WebAS needed) Make sure Web Dispatcher does not become performance bottleneck
Feedback
Please provide any feedback to improve our services! jochen.rundholz@sap.com
Thank You !
Questions?
Q&A
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 60