Purpose
In this wiki page, we will illustrate how to set up SAP Web Dispatcher (WDP) for Fiori applications. Communication scenarios, such as HTTP and SSL Termination are also covered.
Configuring WDP for Fiori Applications
Below diagram is the sample Fiori application Architecture for ECC/Gateway using SAP Web Dispatcher as a proxy/Load balancer solution:
Regarding Web Dispatcher Installation, please refer to the following WIKI page. The following communication scenarios are contemplated:
HTTP communication
Configure sapwebdisp.pfl In this section, SAP Web Dispatcher configuration using HTTP communication is explained. For HTTP communication, update following profile sections as shown below:
# Backend Systems
wdisp/system_0 = SID=<SID>, NR=XX, MSHOST=<ABAP_Back-End_Message_Server_Host>, MSPORT=<ABAP_Back-End_Message_Server_Port>, SRCSRV=*:*, SRCURL=/sap/es/;/ENTERPRISE_SEARCH;<additional prefixes; read the SAP KBA 2626799>, SSL_ENCRYPT=0
wdisp/system_1 = SID=<SID>, NR=XX, MSHOST=<ABAP_Front-End_Message_Server_Host>, MSPORT=<ABAP_Front-End_Message_Server_Port>, SRCSRV=*:*, SRCURL=/sap/opu;/sap/public;/sap/bc, SSL_ENCRYPT=0
# Used for Multiple systems
wdisp/system_conflict_resolution = 1
# SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP, PORT=<Web_Dispatcher_HTTP_Port>
icm/HTTPS/verify_client = 0
Restart Web Dispatcher to make changes effective. It’s also mandatory that NO HTTPS port was defined in Backend system, and in SICF transaction, the Security Requirement of the /ushell service in the backend must be ‘Standard’.
Testing Fiori URL using web dispatcher with HTTP must work:
http://<Web_Dispatcher_Hostname>:<Web_Dispatcher_HTTP_Port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
HTTPS communication (recommended)
Configure sapwebdisp.pfl In this section, SAP Web Dispatcher configuration using HTTPS communication is explained. To enable HTTPS for Web Dispatcher, make sure that you have followed instructions from this document (check points 1 to 4 from “Configuring the SAP Web Dispatcher for SSL When the Connection is Terminated and SSL is Used”).
Add following profile parameters in the Web Dispatcher profile:
# SSL parameters
ssl/ssl_lib = <Location_of_SAP_Cryptographic_Library>
ssl/server_pse = <Location_of_SSL_server_PSE>
ssl/client_pse = < Location_of_SSL_client_PSE >
wdisp/ssl_encrypt = 1
wdisp/ssl_auth = 1
wdisp/add_client_protocol_header = 1
wdisp/ping_protocol = https
icm/HTTPS/verify_client = 1
# SAP Web Dispatcher Ports :
icm/server_port_0 = PROT=HTTPS,PORT=<Web_Dispatcher_HTTPS_Port>
# Backend System
wdisp/system_0 = SID=<SID>, NR=XX, MSHOST=<ABAP_Back-End_Message_Server_Host>, MSPORT=<ABAP_Back-End_Message_Server_Port>, SRCSRV=*:*, SRCURL=/sap/es/;/ENTERPRISE_SEARCH;<additional prefixes; read the SAP KBA 2626799>
wdisp/system_1 = SID=<SID>, NR=XX, MSHOST=<ABAP_Front-End_Message_Server_Host>, MSPORT=<ABAP_Front-End_Message_Server_Port>, SRCSRV=*:*, SRCURL=/sap/opu;/sap/public;/sap/bc
# Used for Multiple systems
wdisp/system_conflict_resolution = 1
Restart Web Dispatcher to make changes effective. It’s also mandatory that HTTPS port was defined in Backend system, in SICF transaction, the Security Requirement of the /ushell service in the backend should be ‘Standard’:
and in “SICF > Error Pages > Configuration”, the Logon Protocol should be ‘Logon via HTTPS’:
Testing Fiori URL using web dispatcher with HTTP must work: https://<Web_Dispatcher_Hostname>:<Web_Dispatcher_HTTPS_Port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
Configuring WDP for Fiori s4HANA Applications
Below diagram is the sample Fiori s4HANA Architecture for ECC/Gateway using SAP Web Dispatcher as a proxy/Load balancer solution:
The previous configuration described for Fiori applications is valid for this case, but in addition you just need to add following web dispatcher parameters:
# Backend Systems
wdisp/system_2=SID=<HANA_SID>, EXTSRV=<HANA_XS_URL>, SRCSRV=*:<Web_Dispatcher_Port>, SRCURL=/sap/hba/;/sap/hana/;/sap/bi/;/sap/viz/;/sap/vi/;/sap/ui5
Restart Web Dispatcher to make changes effective. Testing Fiori URL using web dispatcher with HTTP must work for HTTP and HTTPS: http://<Web_Dispatcher_Hostname>:<Web_Dispatcher_HTTP_Port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
https://<Web_Dispatcher_Hostname>:<Web_Dispatcher_HTTPS_Port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
Fiori Launchpad Logon Procedure
Requests with HTTPS client protocol should be able to Login successfully in this case.The Launchpad requires Logon via HTTPS by default (This is SAP recommendation). These are the possible Logon scenarios contemplated and the behavior expected:
- If no HTTPS port in the ICM of the Backend and Security Requirement of the /ushell service in the backend is ‘Standard’, you can Logon via HTTP protocol.
- If HTTPS port in ICM, and no client protocol, Fiori Launchpad switches the host from web dispatcher to backend and the protocol to the one expected (HTTPS in this case).
- If HTTPS port in ICM, and client protocol HTTP, Fiori Launchpad switches the host from web dispatcher to backend and the protocol to the one expected (HTTPS in this case).
- If HTTPS port in ICM, and client protocol HTTPS, should be able to Login successfully.