Application Gateway with Apache Multi-backend scenarios Nghia Nguyen SAP NetWeaver RIG Americas, SAP Labs, LLC
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Enterprise Security Requirements Enterprise applications need protection for proprietary and confidential information and systems. These requirements are driven not only by the desire to protect against unwanted access, but also by regulatory constraints regarding personal privacy. SAP AG 2006, RAFP20 - EFP / 4
Acronym SAP ERP SAP Enterprise Resource Planning SAP CRM SAP Customer Relationship Management SAP SRM SAP Supplier Relationship Management ITS Internet Transaction Server ICF Internet Communication Framework ICM Internet Communication Manager IAC Internet Application Component SAP AG 2006, RAFP20 - EFP / 5
Data and Application Security Data security is required to protect proprietary or personal information from unauthorized access. This includes: Restricting application users from accessing data they are not authorized to see. It also includes Encryption of data to prevent unauthorized access to the data by users outside the application Application security is required to ensure that: Only authorized users are allowed to access the system Data security is maintained inside the application SAP AG 2006, RAFP20 - EFP / 6
Safeguards Versus Threats Alice Social Engineering TRAINING Masquerading Penetration Network AUTHENTICATION FIREWALL Application Level Vulnerabilities PATCHES APP.-GATEWAY Application Client ENCRYPTION Eavesdropping Tampering Denial of Service AUTHENTICATION FIREWALL Spoofing OS OS-HARDENING OS-Cracking Server VIRUS DETECTION Planting SAP AG 2006, RAFP20 - EFP / 7
Data Flow Why we need proxies. Browser 1 2 Portal 3 4 SAP System Browser 1 iview Request Portal 2 Compute Target URL 3 Target Request SAP System t 4 Run Web-Application SAP AG 2006, RAFP20 - EFP / 8
What is an Application Gateway? Application that acts as a middle man between your computer and the Internet resources you are accessing (e.g. Web sites, FTP archives) No direct connection between client of the local network & server on the Internet (or vice versa) Relays traffic between actual client and actual server while doing checks and access controls that typical client & server SW do not support SAP AG 2006, RAFP20 - EFP / 9
Possible Features of an Application Gateway Pre-authentication and authentication Is the user permitted to access the server / service / URL? Validity of a service request / URL Is access to the requested URL via the Internet permitted? Does the request contain no known exploits? Is the source of the request permitted (sender address)? Integrity and correctness of the message (for example SOAP) Is the destination for the SOAP message known and is access to it via the Internet permitted? Is the sender permitted? Auditing Other (non-security related) Combining different information sources under one external name (content unification) SAP AG 2006, RAFP20 - EFP / 10
URL Generation A common issue with proxies is the matter of URL generation by the backend (proxied) applications. When applications generate URLs to other applications or to themselves, you must ensure that all hostnames can be resolved by the client browser. Proxies such as Apache provide the ProxyPreserveHost directive that ensures the hostname requested by the client is passed all the way through to the application. Generated URL s will be based on the proper hostname, which is resolvable to the client. SAP NetWeaver 04 and 2004S systems have configuration capabilities that provide a mechanism for controlling what hostname is returned to the client. SAP AG 2006, RAFP20 - EFP / 11
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Session Objectives As a result of this session, you will be able to: Provide an alternative solution for multi-backend system Understand the basic role of an Application Gateway Understand the current limitation for this solution SAP AG 2006, RAFP20 - EFP / 13
Requirements Have the Apache HTTP Server? Have access to the httpd.conf for modification Have permission to restart the web server Understand basic regular expression Have multiple SAP NetWeaver Usage Type install Have permission to create/change system definition SAP AG 2006, RAFP20 - EFP / 14
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Common Use Cases Supplier Portal / Customer Portal It is very common that applications such as mysap SRM or mysap CRM are used in Internet-facing scenarios to facilitate direct access to company data by that companies suppliers or customers. Business Process Integration The continued evolution of process integration between companies and business units further moves the requirement for access to backend applications from direct person to application access to more complex interactions which often invoke transactional business processes between these entities. SAP AG 2006, RAFP20 - EFP / 16
Internet-facing Scenario Basic Basic scenarios allow direct access from the Internet to backend systems. A more secure configuration is to place an application gateway between the user and the backend system see the SAP TechED session http://educontent.wdf.sap.corp:1080/teched05/powerpoints/ags200.pdf SAP AG 2006, RAFP20 - EFP / 17
Internet-facing Scenario Advanced multiple entry points multiple protocols multiple applications SAP AG 2006, RAFP20 - EFP / 18
Configuration Scenarios 1/2 Case 1: Single SAP NetWeaver Portal Case 2: Multiple SAP NetWeaver Portal SAP AG 2006, RAFP20 - EFP / 19
Configuration Scenarios 2/2 Case 3: Single SAP NetWeaver Portal with multiple SAP ERP/CRM/SRM Case 4: Multiple SAP NetWeaver Portal with multiple SAP ERP/CRM/SRM SAP AG 2006, RAFP20 - EFP / 20
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Limitations Not able to hide all aspect of sap hostname In the Request Method and Referer URL Examples: Request Method URL /sap(cz1tsuqlm2fbtk9ojtnhse9tve5btuvfv0fkxzawjtnhttq4mmrgt2diwu1lcfltt GdQS0RSWUNtMHpvcm9mZGdXX1lxUXl1eC1BVFQ=)/bc/gui/sap/its/it13/~flNUQVRFPTE4N TI2LjAwMi4wMS4wMQ== HTTP/1.1 Referer URL http://<portalhostname>:9020/sap(cz1tsuqlm2fbtk9ojtnit1nutkfnrv9xqupfmdalm2f NNDgyZEZPZ0hZTWVwWW1MZ1BLRFJZQ20wem9yb2ZkZ1dfWXFReXV4LUFUVA==)/bc/gu i/sap/its/it13/~flnuqvrfpte4nti2ljawmi4wms4wmq== Result (Base64 Decode) s=sid%3aanon%3ahostname_waj_00%3am482dfoghymepymlgpkdrycm0zorofdg W_YqQyux-ATT SAP AG 2006, RAFP20 - EFP / 22
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Enterprise Portal System Configuration Using Proxies Instead of Direct Connection in the Landscape Manager We typically build R3 connections using the REAL HOST information! When we use proxies to access these back-end systems we use the hostname of the proxy instead of the SAP NetWeaver AS when we define the system connection SAP AG 2006, RAFP20 - EFP / 24
Accessing ITS Services with a Proxy Without any configuration of ITS services or HTTPURLLOC, a client who requests an ITS service through a proxy will simply be redirected to the real SAP NetWeaver AS host. The URLs generated by the ICF will use the SAP NetWeaver AS hostname. Once the configuration is maintained, the client will never see information regarding the actual hostname of the SAP NetWeaver AS. This should be the hostname of your proxy server! SAP AG 2006, RAFP20 - EFP / 25
Apache Proxy Tip Apache configuration is fairly trivial: You simply modify the httpd.conf to include a proxy rule for the backend system. ProxyPass /sap http://ls4089.wdf.sap.corp:50089/sap ProxyPassReverse /sap http://ls4089.wdf.sap.corp:50089/sap But there s a twist... This rule falls over when the ICM puts session information into the URLs; then you need to add a rewrite rule. RewriteRule ^/(sap\(.*) http://ls4089.wdf.sap.corp:50089/$1 [P,L] SAP AG 2006, RAFP20 - EFP / 26
Possible Options Option A - Multiple Apache ports Assign an Apache port to each system Administration and Security Must monitor and open more port for the WAN Option B - Multiple Apache Virtual Host Assign a virtual host to each system Administration and Security More system alias to maintain for the WAN * SAP does not endorse or promote these configuration settings. These possible solutions will only provide an option to some of the common issues. SAP AG 2006, RAFP20 - EFP / 27
Case 1: Single SAP NetWeaver Portal Application Server Proxy Portal Simple configuration level requires simple rules Apache s Rule ProxyPass /irj http://<full hostname>:<port>/irj ProxyPass /logon http://<full hostname>:<port>/logon ProxyPass /webdynpro http://<full hostname>:<port>/webdynpro ProxyPassReverse /irj http://<full hostname>:<port>/irj ProxyPassReverse /logon http://<full hostname>:<port>/logon ProxyPassReverse /webdynpro http://<full hostname>:<port>/webdynpro RewriteRule ^/(sap.*) http://<backend hostname>:<port>/$1 [P,L] SAP AG 2006, RAFP20 - EFP / 28
Case 2: Multiple SAP NetWeaver Portal Portal Proxy Moderate configuration level requires moderate rules Apache s Rule RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.* RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{query_string} [P,L] RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.* RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{query_string} [P,L] SAP AG 2006, RAFP20 - EFP / 29
Case 3: Single SAP NetWeaver Portal with multiple SAP ERP/CRM/SRM Application Server Proxy Portal Complex configuration level requires complex rules Apache s Rule RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.* RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{query_string} [P,L] RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.* RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{query_string} [P,L] ProxyPass /irj http://<full hostname>:<port>/irj ProxyPass /logon http://<full hostname>:<port>/logon ProxyPass /webdynpro http://<full hostname>:<port>/webdynpro ProxyPassReverse /irj http://<full hostname>:<port>/irj ProxyPassReverse /logon http://<full hostname>:<port>/logon ProxyPassReverse /webdynpro http://<full hostname>:<port>/webdynpro SAP AG 2006, RAFP20 - EFP / 30
Case 4: Multiple SAP NetWeaver Portal with multiple SAP ERP/CRM/SRM Portal Application Server Proxy Complex configuration level requires complex rules Apache s Rule Almost the same as case 3 just add more rules for each system SAP AG 2006, RAFP20 - EFP / 31
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Common Issues Hostname and Domains Don t blame SAP for issues with cookies and certificates if you do not maintain your servers with real hostnames and in the same domain. The rules for cookie and certificate handling are defined in RFC 2616 for HTTP/1.1 The configuration isn t trivial Setup is the most common source of connectivity issues Users and Authorizations Double check all users and ensure they can logon interactively prior to testing the same action through SSO Protocols Validate your SSL separately! SAP AG 2006, RAFP20 - EFP / 33
Tracing the Security Communication Several SAP Notes address the topic of tracing and logging for Security Communication: Note 457222 Gathering Security Trace Information Note 495911 Trace Analysis for Logon Problems Note 320991 Error Codes for Logon (list) Note 791205 Single Sign-On Using SAP Logon Tickets You need to trace the communication through all components: Client browser based such as httpwatch Proxy native tools/capabilities of the proxy Portal enable http tracing in the http provider service of the dispatcher ABAP sm50 and related methods described in the above notes SAP AG 2006, RAFP20 - EFP / 34
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
SAP Notes Note 833960 Supported Application Gateway Configurations Note 693220 Recommendations for the security of ITS services Note 725931 Security: ITS, security-relevant settings for IACs Note 596698 EP 6.0: Session Release Agent - Typical Problems Note 709038 SAP ITS Release 6.40: SAP Integrated ITS Note 457222 Gathering Security Trace Information Note 495911 Trace Analysis for Logon Problems Note 320991 Error Codes for Logon (list) Note 791205 Single Sign-On Using SAP Logon Tickets SAP AG 2006, RAFP20 - EFP / 36
Guides and Documentation Security @ SAP http://service.sap.com/security NetWeaver Security Guide http://help.sap.com/saphelp_nw04/helpdata/en/8c/2ec59131d7f84ea5 14a67d628925a9/frameset.htm Enable SAP GUI for HTML with Integrated ITS https://websmp204.sapag.de/~sapdownload/011000358700003584472004e/webgui_nw04.p df SAP AG 2006, RAFP20 - EFP / 37
Resources Public Web: www.apache.org www.sap.com SAP Developer Network: www.sdn.sap.com SAP Customer Services Network: www.sap.com/services/ Related SAP Education Training Opportunities www.sap.com/education/ SAP AG 2006, RAFP20 - EFP / 38
Resources (cont.) Related Workshops/Lectures from SAP TechEd 2005 AGS200 Increasing Infrastructure Security Using Application Gateways AGS250 Authentication use the SAP NetWeaver User Management Engine SAP AG 2006, RAFP20 - EFP / 39
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Demo Landscape Host: cdphl827 Alias: ssphlrig600-1 Host: ssphlrig600 Host: ssphlrig602 Host: cdphl607 Alias: ssphlrig600-2 Note: Click on the Reference link on the top right corner of this Articulate session and select Demo Session to start the demo SAP AG 2006, RAFP20 - EFP / 41
Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring the Applications Troubleshooting Security Configuration Resources Demo Wrap-Up
Your Turn! Questions? How to contact me: nghia.nguyen@sap.com SAP AG 2006, RAFP20 - EFP / 43