sapnote_0000654982
TRANSCRIPT
![Page 1: sapnote_0000654982](https://reader036.vdocuments.mx/reader036/viewer/2022082512/551fbd04497959d9398b5612/html5/thumbnails/1.jpg)
20.03.2010 Page 1 of 4
SAP Note 654982 - URL requirements due to Internetstandards
Note Language: English Version: 9 Validity: Valid Since 17.07.2008
Summary
Symptom
1. Cookies (particularly: MYSAPSSO2) are not set(even though the server issues these and the browser accepts cookies.Filtering reverse proxies have also been ruled out as the source ofthe error.).
2. https does not work.The browser reports the following error or warning (or similar):"Certificate name is invalid and is unsuitable for the server", or theICM trace contains the following message, or similar:
MatchTargetName("<hostA.domain.tld>", "CN=<hostB.domain.tld>,OU=<...>, O=<...>, C=<...>")
More TermsCookie, URL, URI, FQDN, SSL, X.509, Single Sign-On (SSO),icm/host_name_full
Cause and PrerequisitesThese problems occur either because only the host name, but not the domain(=> FQDN, fully qualified domain name), is specified in the URL, or becausethe domain that you use does not satisfy the requirements of the cookiespecification (for more information, see:http://wp.netscape.com/newsref/std/cookie_spec.html).
Point 1:To enable the browser to decide to which server a cookie may be sent, theURL must include the domain specification since this information is used asa basis for the decision.The cookie specification intensifies this requirement by determining that
o domains with the extension "com", "edu", "net", "org", "gov", "mil"or "int" must include at least one additional domain component(usually the name of the company or organization), while
o any domain with a different extension (including the nationaltop-level domains in particular, for example, "de", "uk", "fr", andso on) must consist of at least two additional domain parts.
For example:
- http://www.sap.com/... - this is acceptable
- http://www.sap.de/... - this is not acceptable
- http://www.public.sap.de/... - this is acceptable
Comment:Some browsers (for example, Microsoft Internet Explorer) are less strictand also permit domains that violate the cookie specification rules listedabove. To the best of our knowledge (for which we cannot be held
![Page 2: sapnote_0000654982](https://reader036.vdocuments.mx/reader036/viewer/2022082512/551fbd04497959d9398b5612/html5/thumbnails/2.jpg)
20.03.2010 Page 2 of 4
SAP Note 654982 - URL requirements due to Internetstandards
responsible), all domains whose penultimate domain components consists ofat least three characters seem to be generally accepted (because otherwisethere would be problems, for example with all British domains, due toinsufficient restrictions on how cookies are sent):
- http://www.sap.de - for MS IE: acceptable
- http://www.xy.co.uk - acceptable (conforms tospecifications)
- http://www.xy.co.uk - acceptable (conforms tospecifications)
- http://www.co.uk - not acceptable (in accordance with thespecifications)
Point 2:Along with encrypted data transfer, the use of SSL (=> https) is designedto ensure that the specified server (for example, an enterprise or anorganization) is authentic. SSL server certificates are used for thispurpose. The browser checks each https URL to see whether the complete hostname contained in the URL corresponds to the relevant specification (=>Common Name, CN) of the checked SSL server certificate. If the browserdetects a variance, it triggers a warning (or an error).
For example:The SSL server certificate was issued to "CN=tcs.mysap.com, OU=SAP TrustCommunity, O=SAP AG, L=Walldorf, C=DE". Then the following URLs areconsidered:
- http://tcs.mysap.com/... - no SSL/https
- https://tcs.mysap.com/... - this is acceptable
- https://tcs01.mysap.com/... - Warning/error
-In the case of an SSL server certificate that was issued to "CN=mysap.com,and so on", all of the URLs that are mentioned above return an error.On the other hand, in the case of an SSL server certificate that was issuedto "CN=*.mysap.com, ...", the two https URLs would work without errors.However, a Certification Authority (CA) usually sets up its own rules forthe parts of the certificates that it issues (and therefore authenticates).The use of wildcards (*) in the common name is not usually permitted.
Comment:When you use SSL scheduling reverse proxies (before the Web server/SAP WebApplication Server/SAP J2EE server), you must make sure that the SSL servercertificate of the reverse proxies corresponds to the host name of thereverse proxies that is visible to the browser.General information about SSL and the SAP Web Application Server isavailable at http://service.sap.com/security > Security in Detail >Infrastructure Security: "Network and Transport Layer Security" andhttp://service.sap.com/security > Security in Detail > Archive (OldDocuments): "SAP Web Application Server Security".
Solution
![Page 3: sapnote_0000654982](https://reader036.vdocuments.mx/reader036/viewer/2022082512/551fbd04497959d9398b5612/html5/thumbnails/3.jpg)
20.03.2010 Page 3 of 4
SAP Note 654982 - URL requirements due to Internetstandards
Use fully-specified host names (including the domain specification) in URLsand make sure that you only use domains that conform to the rules definedin the cookie specification.
Header Data
Release Status: Released for CustomerReleased on: 18.09.2007 15:39:24Master Language: GermanPriority: Recommendations/additional infoCategory: Installation informationPrimary Component BC Basis Components
Additional Components:BC-NET Network Infrastructure
BC-BSP Business Server Pages
BC-MID-ICF Internet Communication Framework
BC-JAS Java Application Server - Please usesub-components
EP-PIN Portal Infrastructure
BC-WD Web Dynpro
The Note is release-independent
Related Notes
Number Short Text
1257108 Collective Note: Analyzing issues with Single Sign On (SSO)
1009930 (Display) problems in View Designer when you load a view
830830 Inf. broadcasting: Typical problems with folder selection
817529 Checking the SSO configuration
805344 How URLs are generated automatically in BW
763427 Error message for domain name with underscore
701205 Single Sign-On using SAP Logon Tickets
677118 SP31-> Fully Qualified Domain Names Check
654326 Domain restrictions in a portal environment
632440 Domain barrier in the browser of the SAP Enterprise Portal
612670 SSO for local BSP calls using SAP GUI HTML Control
611361 Hostnames of SAP servers
585042 Reduction of the data transfer Web middleware/browser
517860 Logging on to BSP applications
![Page 4: sapnote_0000654982](https://reader036.vdocuments.mx/reader036/viewer/2022082512/551fbd04497959d9398b5612/html5/thumbnails/4.jpg)
20.03.2010 Page 4 of 4
SAP Note 654982 - URL requirements due to Internetstandards
Number Short Text
356691 Problem analysis: SAP logon ticket with Workplace SSO
Attachments
FileType
File Name Language Size
PDF Netscape_Cookie_Specification.pdf E 19 KB