Overview
Under this blog, I have outlined how to configure an SAP Web Dispatcher (WD) so that it acts as the reverse-proxy server for an XSA instance where SSL is terminated at the XSA server. The WD will simply route requests to the XSA instance. This setup allows the XSA host to be hidden from the end user.
Mainly if you have port-based XSA installed due to application limitations.
DISCLAIMER
The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.
Purpose
I have carefully prepared a document that outlines all the necessary steps for configuring the external SAP web dispatcher for SAP HANA XSA application URLs. By following these instructions, you can ensure that your Hana DB is kept secure and is not directly exposed to end users. It is important to take these steps to protect your data and ensure that your applications are running as smoothly as possible.
Prerequisites
Your XSA, cockpit, and web dispatcher minimum above then below version
- SAP HANA XS Advanced - version 1.0.117 or later
- SAP HANA XS Advanced Cockpit - version 1.1.15 or later
- Web Dispatcher - version 7.77 or later
Open the below ports from the DB server to Webd and the same ports from Webd to the end user machine
if your HANA NN is 00 use below ports, please replace 00 with your port number.
4300,8000,30003,30005,30007,30009,30013,30014,30015,30025,30030,30032,30033,3040,30043,30044,30045
Standard ports
44300,44301,44302,44305,44306,44307,50013,51002,51003,51038,51039,51041,51045,51047,53075,22,51004,51005,51008,51009,51011,51012,51015,51016,51017,51020,51021,51022,51023,51024,51025,51026,51027,51030,51031,51032,51033,51034,51035,51036,51037
External Web Dispatcher setup for HANA XSA application (mainly FSPRO) Steps: –
- Take all system configuration backup
- Configure WD
- Configure SAP HANA XSA
- Test URLs
Take all system configuration backup :-
As per preventive measures take full HANA VM backup, We are only adding new configuration it will not impact core functionality.
Take all xs ini files backup along with Hana internal webD profile parameter backup
Configure WD:-
The following needs to be added to your WD profile file (e.g. /usr/sap/<SID>/SYS/profile/<SID>_<Instance>_<WD_hostname>):
wdisp/system_conflict_resolution = 1
# size of requests to an SAP HANA XS advanced system should be unrestricted
icm/HTTP/max_request_size_KB=-1
icm/host_name_full_compatibility_mode = true
# SAP HANA XS advanced ports
icm/server_port_1=PROT=TCP, PORT=30030, TIMEOUT=60, PROCTIMEOUT=600
icm/server_port_2=PROT=TCP, PORT=30032, TIMEOUT=60, PROCTIMEOUT=600
icm/server_port_3=PROT=TCP, PORT=29002, TIMEOUT=60, PROCTIMEOUT=600
icm/server_port_4=PROT=TCP, PORT=51038, TIMEOUT=60, PROCTIMEOUT=600
# SAP HANA XS advanced endpoints
wdisp/system_0=NAME=XSAUAA, SID=HDB, SRCTCPSRV=*:30032, EXTSRV=tcp://<hana hostname>:30032
wdisp/system_1=NAME=XSA, SID=HDB, SRCTCPSRV=*:30030, EXTSRV=tcp:// <hana hostname>:30030
wdisp/system_2=NAME=APP1, SID=HDB, SRCTCPSRV=*:29002, EXTSRV=tcp://<hana hostname>:29002
wdisp/system_4 = NAME=XSA1, SID=HDB, SRCTCPSRV=*:51038, EXTSRV=tcp:// <hana hostname>:51038
NOTE: – SID, Ports, and Hanahostname need to be changed, based on your environment.
Where
PORT = a port on the XSA server
NAME = any name that helps you identify the entry. It can be anything. But no special characters are allowed and there’s a max limit of 12 characters.
SRCTCPSRV = same value as PORT.
EXTSRV = It should be the FQDN of the HANA server where XSA is installed, prefixed with tcp:// and qualified with the PORT.
SID = Hana DB SID
NOTE:- you can include all other XSA applications if you want like a cockpit.
For every SAP HANA XS advanced port entry, there must be a corresponding SAP HANA XS advanced endpoints entry. AND the port numbers must be the same for the entries. You can not do network address translation (NAT) here.
Since the domain of the XSA instance has changed, all XSA requests must be routed through the WD. Therefore, you must list all the externally accessible XSA ports in the WD profile. This includes the XSA Cockpit and XSA Controller page. For the PQM apps, you only need to list the approuter port. You do not need to include the web app port number. The approuter will route requests to the web app internally on the HANA server.
If you are getting the below warning on sapwebdisp check, please ignore it.
Configure SAP HANA XSA
Update XSA Domain Name
The XSA “default domain” needs to change to the web dispatcher’s FQDN hostname. WARNING – once done, all XSA web apps will not be reachable until the WD has been properly configured.
To change the XSA default domain,
- Login into SAP Hana Studio
- Go to Administration Condole à Configuration
- Open xscontroller.ini -> communication
- ini -> communication
- double-click on default_domain. Edit the System’s new value and set it to the WD fully-qualified domain name:
Restart the XSA services so that the change will take effect – “XSA restart” while logged in on the HANA server as the OS tenant DB user <SID>adm.
Update OS host file to allow for internal routing
To allow the newly changed XSA server to route internal requests without going through the WD, you need to add an entry into the /etc/hosts file that maps 127.0.0.1 to the XSA default domain.
EX:-
127.0.0.1 localhost Webdispacher hostname (used physical or virtual name configured into webd)
Generate new private and public key for renamed XSA server
Since “domain” of the XSA instance has changed, a new SSL private and public key will need to be imported into XSA. If you have it, you can re-use the same ones that were used for your WD. Otherwise, generate a new set and upload them into XSA using the command
“xs set-certificate <domain> -c <signed_public_cert>.cer -k <private_key>.key”.
Domain = Webdispacher hostname
IMPORTANT – the first endpoint entry must be the UAA security endpoint (aka authorization endpoint). The next one should be the XSA controller endpoint. Both can be determined by the command “xs system-info”.
Test URLs
Tested the SAP HANA cockpit URL routed via an external web dispatcher.
Reference SAP Notes:-
2894394 - Setting up a Web Dispatcher as a Reverse Proxy server for FS-PRO/FS-QUO.
1855097 - SAP Web Dispatcher support for SAP HANA XS load distribution and failover
Advantages:-
Secure your Hana DB to expose.
I hope this document will help you with the SAP HANA XSA external web dispatcher setup.
Cheers!
Anikesh Jyotishi