Upload File

sapnote_0000654982

4
20.03.2010 Page 1 of 4 SAP Note 654982 - URL requirements due to Internet standards Note Language: English Version: 9 Validity: Valid Since 17.07.2008 Summary Symptom 1. Cookies (particularly: MYSAPSSO2) are not set (even though the server issues these and the browser accepts cookies. Filtering reverse proxies have also been ruled out as the source of the error.). 2. https does not work. The browser reports the following error or warning (or similar): "Certificate name is invalid and is unsuitable for the server", or the ICM trace contains the following message, or similar: MatchTargetName("<hostA.domain.tld>", "CN=<hostB.domain.tld>, OU=<...>, O=<...>, C=<...>") More Terms Cookie, URL, URI, FQDN, SSL, X.509, Single Sign-On (SSO), icm/host_name_full Cause and Prerequisites These problems occur either because only the host name, but not the domain (=> FQDN, fully qualified domain name), is specified in the URL, or because the domain that you use does not satisfy the requirements of the cookie specification (for more information, see: http://wp.netscape.com/newsref/std/cookie_spec.html). Point 1: To enable the browser to decide to which server a cookie may be sent, the URL must include the domain specification since this information is used as a basis for the decision. The cookie specification intensifies this requirement by determining that o domains with the extension "com", "edu", "net", "org", "gov", "mil" or "int" must include at least one additional domain component (usually the name of the company or organization), while o any domain with a different extension (including the national top-level domains in particular, for example, "de", "uk", "fr", and so on) must consist of at least two additional domain parts. For example: - http://www.sap.com/... - this is acceptable - http://www.sap.de/... - this is not acceptable - http://www.public.sap.de/... - this is acceptable Comment: Some browsers (for example, Microsoft Internet Explorer) are less strict and also permit domains that violate the cookie specification rules listed above. To the best of our knowledge (for which we cannot be held

Upload: ravish-kumar

Post on 03-Apr-2015

103 views

Category:

Documents


4 download

Report

TRANSCRIPT

Page 1: sapnote_0000654982

20.03.2010 Page 1 of 4

SAP Note 654982 - URL requirements due to Internetstandards

Note Language: English Version: 9 Validity: Valid Since 17.07.2008

Summary

Symptom

1. Cookies (particularly: MYSAPSSO2) are not set(even though the server issues these and the browser accepts cookies.Filtering reverse proxies have also been ruled out as the source ofthe error.).

2. https does not work.The browser reports the following error or warning (or similar):"Certificate name is invalid and is unsuitable for the server", or theICM trace contains the following message, or similar:

MatchTargetName("<hostA.domain.tld>", "CN=<hostB.domain.tld>,OU=<...>, O=<...>, C=<...>")

More TermsCookie, URL, URI, FQDN, SSL, X.509, Single Sign-On (SSO),icm/host_name_full

Cause and PrerequisitesThese problems occur either because only the host name, but not the domain(=> FQDN, fully qualified domain name), is specified in the URL, or becausethe domain that you use does not satisfy the requirements of the cookiespecification (for more information, see:http://wp.netscape.com/newsref/std/cookie_spec.html).

Point 1:To enable the browser to decide to which server a cookie may be sent, theURL must include the domain specification since this information is used asa basis for the decision.The cookie specification intensifies this requirement by determining that

o domains with the extension "com", "edu", "net", "org", "gov", "mil"or "int" must include at least one additional domain component(usually the name of the company or organization), while

o any domain with a different extension (including the nationaltop-level domains in particular, for example, "de", "uk", "fr", andso on) must consist of at least two additional domain parts.

For example:

- http://www.sap.com/... - this is acceptable

- http://www.sap.de/... - this is not acceptable

- http://www.public.sap.de/... - this is acceptable

Comment:Some browsers (for example, Microsoft Internet Explorer) are less strictand also permit domains that violate the cookie specification rules listedabove. To the best of our knowledge (for which we cannot be held

Page 2: sapnote_0000654982

20.03.2010 Page 2 of 4

SAP Note 654982 - URL requirements due to Internetstandards

responsible), all domains whose penultimate domain components consists ofat least three characters seem to be generally accepted (because otherwisethere would be problems, for example with all British domains, due toinsufficient restrictions on how cookies are sent):

- http://www.sap.de - for MS IE: acceptable

- http://www.xy.co.uk - acceptable (conforms tospecifications)

- http://www.xy.co.uk - acceptable (conforms tospecifications)

- http://www.co.uk - not acceptable (in accordance with thespecifications)

Point 2:Along with encrypted data transfer, the use of SSL (=> https) is designedto ensure that the specified server (for example, an enterprise or anorganization) is authentic. SSL server certificates are used for thispurpose. The browser checks each https URL to see whether the complete hostname contained in the URL corresponds to the relevant specification (=>Common Name, CN) of the checked SSL server certificate. If the browserdetects a variance, it triggers a warning (or an error).

For example:The SSL server certificate was issued to "CN=tcs.mysap.com, OU=SAP TrustCommunity, O=SAP AG, L=Walldorf, C=DE". Then the following URLs areconsidered:

- http://tcs.mysap.com/... - no SSL/https

- https://tcs.mysap.com/... - this is acceptable

- https://tcs01.mysap.com/... - Warning/error

-In the case of an SSL server certificate that was issued to "CN=mysap.com,and so on", all of the URLs that are mentioned above return an error.On the other hand, in the case of an SSL server certificate that was issuedto "CN=*.mysap.com, ...", the two https URLs would work without errors.However, a Certification Authority (CA) usually sets up its own rules forthe parts of the certificates that it issues (and therefore authenticates).The use of wildcards (*) in the common name is not usually permitted.

Comment:When you use SSL scheduling reverse proxies (before the Web server/SAP WebApplication Server/SAP J2EE server), you must make sure that the SSL servercertificate of the reverse proxies corresponds to the host name of thereverse proxies that is visible to the browser.General information about SSL and the SAP Web Application Server isavailable at http://service.sap.com/security > Security in Detail >Infrastructure Security: "Network and Transport Layer Security" andhttp://service.sap.com/security > Security in Detail > Archive (OldDocuments): "SAP Web Application Server Security".

Solution

Page 3: sapnote_0000654982

20.03.2010 Page 3 of 4

SAP Note 654982 - URL requirements due to Internetstandards

Use fully-specified host names (including the domain specification) in URLsand make sure that you only use domains that conform to the rules definedin the cookie specification.

Header Data

Release Status: Released for CustomerReleased on: 18.09.2007 15:39:24Master Language: GermanPriority: Recommendations/additional infoCategory: Installation informationPrimary Component BC Basis Components

Additional Components:BC-NET Network Infrastructure

BC-BSP Business Server Pages

BC-MID-ICF Internet Communication Framework

BC-JAS Java Application Server - Please usesub-components

EP-PIN Portal Infrastructure

BC-WD Web Dynpro

The Note is release-independent

Related Notes

Number Short Text

1257108 Collective Note: Analyzing issues with Single Sign On (SSO)

1009930 (Display) problems in View Designer when you load a view

830830 Inf. broadcasting: Typical problems with folder selection

817529 Checking the SSO configuration

805344 How URLs are generated automatically in BW

763427 Error message for domain name with underscore

701205 Single Sign-On using SAP Logon Tickets

677118 SP31-> Fully Qualified Domain Names Check

654326 Domain restrictions in a portal environment

632440 Domain barrier in the browser of the SAP Enterprise Portal

612670 SSO for local BSP calls using SAP GUI HTML Control

611361 Hostnames of SAP servers

585042 Reduction of the data transfer Web middleware/browser

517860 Logging on to BSP applications

Page 4: sapnote_0000654982

20.03.2010 Page 4 of 4

SAP Note 654982 - URL requirements due to Internetstandards

Number Short Text

356691 Problem analysis: SAP logon ticket with Workplace SSO

Attachments

FileType

File Name Language Size

PDF Netscape_Cookie_Specification.pdf E 19 KB


Minne hävisivät soneran rahat

Star Wars Original Trilogy Trivia (Episodes IV-VI)

1 시스템분석입문

Iron Mills Essay

How Computer Keyboards Work

United States Constitution

Chapter 24

The Best American Humorous Short Stories

Explore The Levels of Creation

Jan Van Eyck and the Man In A Red Turban

Algorithms

Tragic Heroes

Daniel Zanella and Alexander Weygers

Physical Modelling Synthesis Overview

How Computer Monitors Work

Acetone Peroxide

Effective Parenting: Establishing Boundaries

xCDC14a

Oedipus The King: The Ideal Tragic Play

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Compressing And Decompressing Folders

The Last Carnival I Ever Saw

Puntuación PAEF,s

Basic Buffer Overflows Explained

расписание электричек Москва-Железка

(Tesla) - The Tesla Magnetic Car Engine

Aesops Fables

18 Tricks to Teach Your Body

Keyboard Shortcuts for the Opera Browser for Mac OS X

Star Wars Trivia!

Barclays1

Venture Capital

Chapter 23

Bhagavad Gita