Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Principal Propagation with F5 load balancer in the landscape

pjcools
SAP Champion
SAP Champion

on ‎2018 Nov 29 1:53 AM

3,850

Hi

I've carried out Principal Propagation settings in a large amount of projects and for the most part have connected to either backend ERP or backend SAP on-premise Gateway systems. In these cases the System Certificate is loaded into each system to enable the PP security technique. This has worked well in all cases.

I have a client now that has an F5 in front of their on-premise gateway systems and have 4 application servers present. As such we would like to connect from the Cloud Connector to the F5 (not the Gateway servers directly). There are alot of options within the F5 so just looking for what the best practice here is and a few questions come to mind.

- Assuming the same activity is required of loading the signed System Certificate into the F5. Is this correct? If so, do you have to create a new P12 system certificate that includes the private key? We have tried loading the normal der certificate from the SAP Cloud Connector (and needed to convert it before doing so) however this is not allowing us to load it correctly - it is asking for private key. Additionally, if we create a P12 we would need to load this also into the SAP Cloud Connector and all other backend systems.

Would be good to get some more detailed information on the steps involved here to ensure Principal Propagation will still work with this in the mix.

- An alternative option looks like changing the F5 to simply pass through the request to make it a Level 4 connection (no security basically).

Any assistance with this would be appreciated.

Thanks

Phil Cooley

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
BrendanFarthing
Participant
‎2022 Apr 11 5:40 AM
0 Likes

Hi phil.cooley ,

Did you ever get an answer to this? I'm also curious about this for a similar scenario. Example below from SAP BTP (Cloud) to a backend ABAP system.

SAP BTP > Cloud Connector > 1x F5 > 2x Web Dispatchers for redundancy > Multiple ECC or S/4 app servers.

We also have Principal Propagation issues when F5 is put in the mix. Works fine without F5.

Thanks,

Brendan

sonikapoly
Discoverer
‎2025 Feb 19 11:24 PM
0 Likes

Hi Phil,
I know this is a very old post but did you got any solution for this? I am also trying to connect from BAS on BTP -> Cloud Connector -> F5 LB -> Web Dispatcher -> S/4 or ECC system

Accepted Solutions (0)

Answers (4)

Answers (4)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2018 Nov 29 2:53 PM

Hi Phil,

AFAIK, you may use F5 for load-balancing SAP application servers - but there are same caveats (one of them explained in SAP Note 2509435).

Back in my consulting days as an architect I have almost always recommended customers to deploy an SAP Web Dispatcher installation to load balance SAP application servers - specifically when dealing with the HTTP protocol. SAP back-ends do not maintain the server connection for http requests, so if you rely on Message Server for load balancing there is a high chance a session will be established on a different server during the a full web page load - which may not be desired at all.

Thus, it is a good practice to have a Web Dispatcher in front of your SAP servers - at least for HTTP requests. When dealing with Fiori Apps this is not just a good practice but it is also mandatory (especially when you have a SAP Gateway HUB deployment).

With that in mind I would recommend you to have a Web Dispatcher in front of your SAP Gateway Application Servers. A single instance of Web Dispatcher will allow you to connect to several SAP instances. However, a Web Dispatcher is not a full-blown reverse proxy - so you must think of it as SAP's solution for load balancing HTTP in the context of SAP Back-ends.

Under such circumstances, your SAP Cloud Connector would allow the virtual address to be called from the cloud system which would in turn be calling a web dispatcher server.

The F5 may be used for load balancing parallel Web Dispatchers. However, this would imply in additional F5 configuration effort when compared to a Hardware HA solution for two Web Dispatcher hosts.

With all that said, you would need to think of setting up SSL-Reencryption scenario in the Web Dispatcher. Which means your Web Dispatcher would receive the incoming request from the cloud in SSL and it would re-encrypt the packages using the certificates from the application servers connected to it.

The good thing about using Web Dispatcher is it maintains client-to-server sessions and works with the SSO scenarios provided by SAP Cloud Connector.

Best regards,
Ivan

Show replies
Show replies
former_member136826
Discoverer
‎2020 Dec 06 6:22 AM
0 Likes

Hello Phil ,

I know this is very old post , but would you please let me know if you were able to configure Principal Propagation via F5 load balancer ?

I have the below setup to configure SCP mobile services via Principal Propogation to achieve HA setup in Parallel web dispatchers and three application servers in the backend Gateway system .

SCP Mobile -> SAP Cloud Connector -> F5 -> Web disp1 and Web Disp2(No HA) -> 3 app servers .

Show replies
Show replies
pjcools
SAP Champion
SAP Champion
‎2018 Dec 06 4:32 AM
0 Likes

Hi Ivan

Ordinarily we connect the Cloud Connector to an SAP Gateway or backend SAP ERP ABAP system and it works a treat. For Principal Propagation we also update the System Certificate and update ICM parameters in each of the backend systems. In this scenario, there are multiple SAP Gateway servers so we don't want to connect to just one of them (by setting a single Internal Host) and because load balancing is not internal it is being handled via an F5 load balancer we would like to connect the SAP Cloud Connector to this box - not the SAP Gateway.

So - we went to load the System Certificate from the Cloud Connector into the F5 but it won't load. Needs additional security elements.

thanks

Phil

Show replies
Show replies
pjcools
SAP Champion
SAP Champion
‎2018 Dec 02 4:05 AM
0 Likes

Hi Ivan

Appreciate your comments in this topic however I am connecting up the environment from SAP Cloud Platform so this is not on-premise here and at the moment the client does not have any SAP Web Dispatchers in their environment. Also no bandwidth in this project to do so given they already have F5's. I've tried to hook up web dispatchers before and while I like the architecture inclusion the UI is terrible making it difficult for anyone that is not a Basis Consultant of 10+ years standing to configure successfully. I have already installed and configured the SAP Cloud Connector as the reverse proxy and this is working well except for the hooking up of the F5. It is reachable at the moment but just trying to understand the security side of things - certificates and parameters etc.

Thanks for your feedback though and I agree that on-premise SAP Web Dispatchers are a definitely inclusion, but from a cloud perspective I think this inclusion complicates the architecture.

Thanks & Kind Regards

Phil Cooley

Show replies
Show replies
Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2018 Dec 05 2:04 PM
0 Likes

Hi Phil,

Could you detail a little bit on the concept involving F5's and Cloud Connector? What is it that you are trying to achieve with F5 in this context?

Best regards,
Ivan

sonikapoly
Discoverer
‎2025 Feb 19 11:29 PM
0 Likes
Hi Phil, I know this is a very old post but did you got any solution for this? I am also trying to connect from BAS -> Cloud Connector -> F5 LB -> Web Dispatcher -> S/4 or ECC system
Ask a Question