web dispatcher
DESCRIPTION
Web DispatcherTRANSCRIPT
-
SAP Web Dispatcher 6.40 for SAP Web AS Java
Jochen RundholzNW RIG APA
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 2
RIG Know How Conf Calls
Please: All participants will be muted
Questions in the Q&A section at the end Important issues via WebEx chat
Mute your phone Use the Mute button where available or Key in *6* to mute and *6* to unmute in case you want to ask a question
Give feedback for further improvements
-
Introduction
Installation
Administration
-
Introduction Web Applications and Web ServersIntroduction Load Balancer
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 5
Requirements of Business Web Applications
Scalability and performance Scale out via additional applicaton server Loadbalancer
necessary Dynamic content leads to low fraction of cachable content
Transcational Session persistance necessary
Security Protection of application servers (DMZ, revers proxys, fire walls, ...) Authentication Encryption
Stability High availibility is necessary
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 6
"Old" SAP Application Server Architecture
SAPGUI
RFCClient/Server
Dispatcher
Gate-way
RDBMS
WorkProcesses
D
I
A
G
R
F
C
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 7
SAP Web Application Server 6.40
RFCClient/ServerBrowser SAPGUI
D
I
A
G
ICM
J2EEDispatcher
J2EEServer
Processes
Dispatcher
Gate-way
RDBMS
WorkProcesses
R
F
C
H
T
T
P
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 8
System Communication
ICM
MSMPI
JCo
HTTP
SAP GUI
ABAP
Central ServicesEnqueue-ServerEnqueue-Server
Message-ServerMessage-Server
SDM
Server Server. . .
Java-Dispatcher
JAVA
WP WP. . .
ABAP-Dispatcher
Internet
Web Browser/Web Server
-
Introduction Web Applications and Web ServersIntroduction Load Balancer
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 10
Load Balancing Design Criteria
Load balancing mechanism (client or server side)
End-to-end SSL or SSL termination in load balancer. In-depth vs. end-to-end security, need to inspect traffic Persistence mechanism (session ID or IP address) Client certificate authentication
Cost of device
Performance
Robustness and high availability
Ease of configuration and operation (TCO)
Integration into existing infrastructure and security policy
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 11
Facts and Features of SAP Web Dispatcher
Usability Single point of access only one URL for user, only one official IP
address Load balancing and configuration via message server
Scalability and performance Software solution, not a hardware solution
Transactional Session persistence via cookie (HTTP) or IP address (HTTPS)
Security Protection of application servers (DMZ, reverse proxy, fire walls, ...) Authentication SSL Termination, end to end SSL, re-encryption Simple request filtering
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 12
Hardware Load Balancer vs. SAP Web Dispatcher
Pro Additional features Re-use existing infrastructure Unified Web infrastructure for all Web systems (SAP and non-SAP)
Contra Cost Less integrated with SAP Web AS Configuration, operation, maintenance requires special expertise
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 13
Load Balancing Mechanisms (Redirection & DNS)
Redirections Simple Bad user experience and maintenance
DNS based methods Perhaps OK for intranet OK for global load balancing Generally not OK for server load balancing
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 14
Drawbacks of Redirection
Many official external DNS names and IP addresses
Confusing for the user, bookmarking destroys load balancing
With SSL Server certificate must match URL Every application server needs separate server certificate High administrative overhead Expensive
May lead to unnecessary user authentication dialogs
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 15
Load Balancing Mechanisms (Server Side)
Load balancing device Transparent for client Always the same URL One official IP address for all application servers One server certificate for all servers Technically challenging Usually preferable
LoadBalancer
ApplicationServer
ApplicationServer
ApplicationServer
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 16
Web Dispatcher
SAPWeb
Dispatcher
MessageServer
CentralInstance
DialogInstance
DialogInstance
RDBMS
http://web.acme.com
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 17
Web Dispatcher For Multiple SAP Web AS
Multiple Web Dispatchers on different TCP ports
Not recommended J2EE session cookies
overwrite each other. SSL to port other than 443
often not possible
https://web
SAP WebDispatcher
CorporateNetworkSAP Web
AS
SAP WebDispatcher
CorporateNetworkSAP Web
AS
443
444
https://web:444IP
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 18
Web Dispatcher For Multiple SAP Web AS
Multiple Web Dispatchers on different (virtual) IP addresses
Recommended
https://web1
SAP WebDispatcher
CorporateNetworkSAP Web
AS
SAP WebDispatcher
CorporateNetworkSAP Web
AS
443
443
IP1
IP2
https://web2
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 19
Integration Into Web Server / Reverse Proxy
SAP WebAS
Web Server
Reverse ProxyModule
F
i
r
e
w
a
l
l
Static WebPages
Internet
443
F
i
r
e
w
a
l
l
/sap*
other
Integrate SAP Web AS services into Web site
Optional Web Dispatcher for Scaling
Forward requests for/sap* to SAP Web AS
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 20
Network Security
Optional high security network with internal firewall
Internal ServerNetwork
High SecurityNetwork
Secure ServerNetwork (DMZ)
Internet
Database
DB
DB
ApplicationProxy
SAP WebApplication
Server
R/3, FI, HRetc.
Web Servers ApplicationsProtected
Applications
F
i
r
e
w
a
l
l
F
i
r
e
w
a
l
l
F
i
r
e
w
a
l
l
F
i
r
e
w
a
l
l
Intern.Firew.
Internal Server
Network
Secure Serv.Network(DMZ)
Internet
DB
ApplicationProxy
SAP WebApplication
Server
Web Servers Applications
F
i
r
e
w
a
l
l
AccessRouter
&Firewall
F
i
r
e
w
a
l
l
Firewall
-
Introduction
Installation
Administration
-
SizingInstallationHigh Availability
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 23
CPU Sizing
No measurements available yet Main factor is the usage of SSL
No SSL at allTermination of SSLTermination and re-encryption of SSL
Termination of SSL is expensive Re-encryption is not very expensive since only the handshake is
expensive and the handshake between server and SAP Web Dispatcher has to be done only every couple of hours
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 24
Memory sizing
Memory usage for internal tables Server tables
Holding information about connected serversUsually very small (90 kB default, few MB for very large system)
Connection tablesHolding information about the open connectionsconcurrent_conn = (users * req_per_dialog_step *conn_keepalive_sec)/
(thinktime_per_diastep_sec)mpi/total_size_mb = (concurrent_conn * mpi_buffer_size)/(1024* 1024)z Default: mpi_buffer_size = 32kBz Default: mpi/total_size_mb = 500
End to End SSL table1.8 MB for 10.000 entries
-
SizingInstallationHigh Availability
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 26
Installating the SAP Web Dispatcher
Media for the web dispatcher is provided with the J2EE kernel:
C:\usr\sap\\\exe\sapwebdisp.exeicmadmin.SAR
To install and setup the SAP Web Dispatcher:
1. Download kernel files from SAP service market place
2. Extract kernel using sapcar -xvf3. Copy the sapwebdisp.exe and icmadmin.SAR files to a directory
on what is to be the Web Dispatcher host.
4. Use sapcar xvf to extract the icmadmin.SAR file into that directory.
5. Execute sapwebdisp bootstrap to generate an initial profile for the Web Dispatcher
6. Start the web dispatcher with sapwebdisp pf=sapwebdisp.pfl
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 27
Download from service.sap.com/download
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 28
Unpack kernel
These are only the minimum files sometimes additional files might be used/helpful
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 29
Unpack icmadmin.SAR & Folder Structure
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 30
Configuring the SAP Web Dispatcher
Necessary Input
Important Information
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 31
Basic files after installation
Developer Trace
Hashed Password of User
SAP Web Dispatcher executable
SAP Web Dispatcher profile
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 32
Additional Information
Some additional information regarding the installation Version information via sapwebdisp -v Trace file dev_webdisp in web dispatcher directory MS platforms: msvcp71.dll and msvcr71.dll must exist (OSS 684106) Start SAP Web Dispatcher via
sapwebdisp.exe pfl=:\\sapwebdisp.pfl OSS notes: 538405
-
SizingInstallationHigh Availability
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 34
Web Dispatcher High Availability
High availabilitycluster
SAP WebDispatcher
SAP WebDispatcher
CorporateNetworkSAP Web
AS
Fail-Over
RedundantNetwork
Infrastructure
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 35
High Availability of SAP Web Dispatcher - Basics
Some basic information Fail over software has to be provided by hardware partner No automatic restart possibility of web dispatcher process in case of
process crash on MS or iSeries platforms Automatic restart possibility given on UNIX platforms via watchdog
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 36
Watchdog on UNIX
Setup on watchdog on UNIX Start the SAP web dispatcher with the option auto_restart The SAP web dispatcher will fork and creates a child process Both processes have access to the same resources The child process will take over the actual work, the parent process
provides the watchdog functionality
-
Introduction
Installation
Administration & Configuration
-
BasicsLoad BalancingSession PersistenceSSL Options
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 39
sapwebdisp.pfl
Typical Web Dispatcher Parameter File:
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 40
Basic Profile parameters
These are the most basic profile parameters SAPSYSTEM
Must be unique on the host and must be in the range between 0 98 Used to distinguish shared memory segments of different SAP Web
Dispatchers on the same host
rdisp/mshost Hostname of the host where the message server is running (in case of double
stack installation the ABAP MS has to be used)
ms/http_port Port of the message server
wdisp/auto_refresh Time to refresh internal routing tables
icm/server_port_0 protocol and port where the dispatcher is listening for incoming requests
icm/http_admin_0 Configuration of admin access
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 41
Administration Tool
dev_wdispsapwebdisp.pfl plus default values
sapwebdisp -v
-
BasicsLoad BalancingSession PersistenceSSL Options
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 43
Load Balancing Mechanism: Overview
Load balancing device needs information about system state
Configuration Manual Retrieve from SAP Message Server (hosts, port numbers, ...)
Load balancing Round-robin (weighted) Load-based Use information from SAP Message Server
High availability Check individual Web AS instances Use information from SAP Message Server
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 44
Load Balancing Server Determination
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 45
Load Balancing: Capacity
Capacity value is provided by message server Capacity of an instance is equal to the number of server processes of that instance
Capacity value from message server can be overwritten by configuration (OSS note 645130)
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 46
Load Balancing Strategy
wdisp/load_balancing_strategy weighted_round_robin (default): requests are distributed in turn to
the servers, depending on their relative capacity
z Preferable for end to end SSL
simple_weighted_round_robin: requests are distributed in turn to the servers, depending on their absolute capacity
zPreferable for very large systems (amount of application servers)
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 47
Load Balancing: Overruling Message Server
Set the parameter wdisp/server_info_location = UNIX: file:////info.icr MS: file://C:\< Path>\info.icr
The file info.icr looks likeVersion 1.0J2EE3537200J2EE host1 50000 LB=2P4 host1 50004 LB=2
J2EE23799700J2EE host2 50200 LB=1P4 host2 50204 LB=1
The format is:J2EE
J2EE LB=P4 LB=
LB values have to be identical
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 48
Monitoring Load Balancing
These values change over time, according to the load balancing
strategy
-
BasicsLoad BalancingSession PersistenceSSL Options
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 50
Load Balancing + Stateful User Sessions
LoadBalancer
ApplicationServer
ApplicationServer
SessionState
1st requ
est
2nd request
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 51
Stateful User Sessions
Complex applications are usually stateful Hold database locks Store intermediate SQL results etc. Session state persistent between requests ("roll area")
HTTP is a stateless protocol Successive requests may open a new network connection
SAP Web AS uses session ID to recognize user session Session cookie Part of the request URL ("URL rewriting")
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 52
Persistence Mechanisms
Session ID (Cookie or URL) Detect actual application need for session persistence Requires no state in load balancer, because SAP session ID contains
application server instance name Requires access to clear text HTTP request (Termination of SSL in LB)
IP address of clientWorks also with encrypted traffic Problems with proxies not good for Internet No way to detect stateless requests Problems with alternative host names
Cookies inserted into the data stream by load balancerWorks "out-of-the-box" Problems with some SAP applications Requires access to clear text HTTP request
-
BasicsLoad BalancingSession PersistenceSSL Options
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 54
Secure Socket Layer
Encryption is required for business applications Protect user credentials (e.g. passwords) Data security
Secure Socket Layer (SSL)
SSL encrypts entire communication between browser and server
Server authentication (mandatory) Browser verifies, that server certificate matches URL
Client authentication with X.509 certificates (optional) Server takes identity of user from browser certificate
End point of SSL session is either Application Server (end-to-end security)Web infrastructure component (in-depth security)
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 55
Web Dispatcher In DMZ
Web Dispatcher is an application layer gateway, but does not have full reverse proxy functionality.
Internet
F
i
r
e
w
a
l
l SAP WebDispatcher
CorporateNetwork
F
i
r
e
w
a
l
l
SAP WebAS
Possiblyfilter
requests
End-to-end SSL orSSL Termination
Encrypted orclear text traffic
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 56
Web Dispatcher End-to-end SSL Mode
Pro Client authentication with X.509 certificates End-to-end data security Load balancer is "untrusted" component
Contra Persistence based on client IP address only Load balancing problems ProxiesEnd-of-sessionBut: IP address based persistence usually OK in intranet
No logon groups No distinction between J2EE and ABAP applications
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 57
End-to-End SSL Revisited
All servers used by an SAP Web Dispatcher share the same certificate Good: few certificates
host2
LoadBalancer
ApplicationServer
ApplicationServer
host2external
host2
LoadBalancer
ApplicationServer
ApplicationServer
external
SAP System
host1
LoadBalancer
ApplicationServer
ApplicationServer
host1SAP System
host1
LoadBalancer
Server
host1
host1host1internal
ApplicationServer
host1host1Application
host2
host2host2
Bad, because:
Every load balancer must use an exclusive set of servers
Multiple load balancers must use non-overlapping groups of servers Example: different URLs
for internal and external users
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 58
Web Dispatcher SSL Termination Mode
Pro Persistence based on application session ID Logon groups Detection of application type (ABAP / J2EE), select correct server Request parsing and URL Filtering SSL re-encryption is possible
Contra Harder to configureWeb Dispatcher becomes "trusted component (secure channel to
WebAS needed) Make sure Web Dispatcher does not become performance bottleneck
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 59
Please provide any feedback to improve our services!
Feedback
Thank You !
-
SAP AG 2004, SAP Web Dispatcher /Jochen Rundholz / 60
Questions?
Q&A
SAP Web Dispatcher 6.40 for SAP Web AS JavaRIG Know How Conf CallsRequirements of Business Web Applications"Old" SAP Application Server ArchitectureSAP Web Application Server 6.40Load Balancing Design CriteriaFacts and Features of SAP Web DispatcherHardware Load Balancer vs. SAP Web DispatcherLoad Balancing Mechanisms (Redirection & DNS)Drawbacks of RedirectionLoad Balancing Mechanisms (Server Side)Web DispatcherWeb Dispatcher For Multiple SAP Web ASWeb Dispatcher For Multiple SAP Web ASIntegration Into Web Server / Reverse ProxyNetwork SecurityCPU SizingMemory sizingInstallating the SAP Web DispatcherDownload from service.sap.com/downloadUnpack kernelUnpack icmadmin.SAR & Folder StructureConfiguring the SAP Web DispatcherBasic files after installationAdditional InformationWeb Dispatcher High AvailabilityHigh Availability of SAP Web Dispatcher - BasicsWatchdog on UNIXsapwebdisp.pflBasic Profile parametersAdministration ToolLoad Balancing Mechanism: OverviewLoad Balancing Server DeterminationLoad Balancing: CapacityLoad Balancing StrategyLoad Balancing: Overruling Message ServerMonitoring Load BalancingLoad Balancing + Stateful User SessionsStateful User SessionsPersistence MechanismsSecure Socket LayerWeb Dispatcher In DMZWeb Dispatcher End-to-end SSL ModeEnd-to-End SSL RevisitedWeb Dispatcher SSL Termination ModeFeedbackQuestions?