Web Dispatchers as a combination of software web switch, reverse proxy and gateway are in most cases the entry door between the Internet and backend systems. It is therefore important to have a sensible security configuration and to check it regularly.
In addition to my previous blog posts:
this article is intended to help overcome minor difficulties in the security monitoring of standalone (non-ABAP) Web Dispatchers in SAP Solution Manager and shows how to create a custom security monitoring report based on the SAP Security Baseline Template¹ Version 2.2.
This blog post is structured into the following parts:
According to the SAP Security Baseline Template, Web Dispatchers can be secured with the following parameters:
Parameter | Recommended Value | Description |
is/HTTP/show_server_header | FALSE | Prohibits information disclosure by the Web Dispatcher Server Header. |
is/HTTP/show_detailed_errors | FALSE | Prohibits information disclosure by Web Dispatcher Error Messages. |
icm/SMTP/show_server_header | FALSE | Prohibits information disclosure by the Internet Communication Manager (ICM) Server Header. |
icm/HTTP/auth_<x> | PREFIX=/,PERMFILE=/<filepath>/permfile,FILTER=SAP | Enables URL Filtering through the Authorization Handler (ideally in the form of a URL Whitelist, so that everything else unknown will be blocked). Web Dispatchers less than 7.31: Do an update urgently or use wdisp/permission_table instead. |
icm/HTTP/admin_<x> | 1.) Should contain CLIENTHOST=<IP Adresse(s) of Admin Clients, semicolon separated> | Restricts administrative access to a defined admin client. |
icm/HTTP/error_templ_path | /usr/sap/<SID>/<Instance>/data/icmerror | Redirects the disclosure of error information to an individual error page (this can be a blank one). |
rdisp/TRACE_HIDE_SEC_DATA | 1 | Disables sensitive personal information such as security session cookies in HTTP request/response traces. |
icm/trace_secured_data | 0 | Deactivates the display of HTTPS data packages in ICM traces. |
icm/accept_forwarded_cert_via_http | 0 | Disables HTTPS certificate forwarding as HTTP header. |
icm/trusted_reverse_proxy_<x> | Should not contain wildcards (*) for SUBJECT or ISSUER | Trusts only selected Reverse Proxys. |
icm/server_port_<x> | should contain PROT=HTTPS (instead of HTTP) | Protects the Server Port using HTTPS. |
Parameter has been removed in the current version of the template. |
(Placeholders for System IDs, filepaths and ascending numbers are written as <Placeholder>.)
The compliance with these security parameters can be monitored using the SAP Solution Manager Configuration Validation application.
[A general introduction to Configuration Validation (what are comparison list, target system, configuration store & configuration items) can be found in the previous blog post How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder - Step: 3. Create a Configuration Validation Report]
For standalone Web Dispatchers (non-ABAP systems) the following Config Stores are available:
By design, security parameters are configured in the Instance Profile. As you can see, this has a different name in each system (<SID>_<Instance>_<hostname>).
For an evaluation over several systems the Config Stores must have the same name (see Instance Profile Config Store "ABAP_INSTANCE_PAHI" in ABAP systems).
=> An evaluation across several Web Dispatcher systems is therefore only possible using the Default Profile.
This leads us to the following workaround:
The following two security relevant parameters are located in the instance profile by default:
In the first step, these two must be moved to the Default-Profile
Problem: If the parameters are still used in the instance profile, the desired value of the default profile will be overwritten.
Recommendation: Write a reminder/reference to the relocated security configuration, such as:
#-----------------------------------------------------------------------
# SAP Web Dispatcher Security Configuration
#-----------------------------------------------------------------------
# For Monitoring with Solution Manager, the Security Configuration
# is located in the Default Profile (DEFAULT.pfl)
# Do NOT use the following Parameters in this Instance Profile:
# is/HTTP/show_server_header
# is/HTTP/show_detailed_error
# icm/SMTP/show_server_header
# icm/HTTP/auth_<x>
# icm/HTTP/admin_<x>
# icm/HTTP/error_templ_path
# rdisp/TRACE_HIDE_SEC_DATA
# icm/trace_secured_data
# icm/accept_forwarded_cert_via_http
# icm/trusted_reverse_proxy_<x>
# icm/server_port_<x>
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
# -> Default Profile (DEFAULT.pfl)
#-----------------------------------------------------------------------
# SAP Web Dispatcher Administration
#-----------------------------------------------------------------------
# -> Default Profile (DEFAULT.pfl)
#-----------------------------------------------------------------------
This ensures that there is no accidental double configuration. The rest of the security configuration can now be carried out in the Default Profile.
An exemplary security configuration in the default profile could then look like this:
#-----------------------------------------------------------------------
# SAP Web Dispatcher Security Configuration
#-----------------------------------------------------------------------
# For Monitoring with Solution Manager, the Security Configuration
# is located in this Default Profile.
# Do NOT overwrite the following Parameters in the Instance Profile:
is/HTTP/show_server_header = FALSE
is/HTTP/show_detailed_errors = FALSE
icm/SMTP/show_server_header = FALSE
icm/HTTP/auth_0 = PREFIX=/,PERMFILE=/sapmnt/<SID>/profile/permfile,FILTER=SAP
icm/HTTP/error_templ_path = /usr/sap/<SID>/<Instance>/data/icmerror
rdisp/TRACE_HIDE_SEC_DATA = 1
icm/trace_secured_data = 0
icm/accept_forwarded_cert_via_http = 0
icm/trusted_reverse_proxy_0 = SUBJECT="",ISSUER=""
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTPS,PORT=<Port>
#-----------------------------------------------------------------------
# SAP Web Dispatcher Administration
#-----------------------------------------------------------------------
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),CLIENTHOST=<IP address>
#-----------------------------------------------------------------------#
Now a corresponding Target System can be used to monitor whether the exemplary Default Profile configuration exists on all Web Dispatcher systems.
Since the Config Store "DEFAULT.PFL" is of type "Text", it is now time to work with regular expressions.
In my case, the following suggestion worked well:
Line Content | Operator | Operator Pattern |
is/HTTP/show_server_header = FALSE | = | is/HTTP/show_server_header = FALSE |
is/HTTP/show_detailed_errors = FALSE | = | is/HTTP/show_detailed_errors = FALSE |
icm/SMTP/show_server_header = FALSE | = | icm/SMTP/show_server_header = FALSE |
icm/HTTP/auth_0 | Regex | .*profile/permfile,FILTER=SAP |
icm/HTTP/admin_0 | Regex | .*CLIENTHOST=.* |
icm/HTTP/error_templ_path | Regex | .*/data/icmerror |
rdisp/TRACE_HIDE_SEC_DATA = 1 | = | rdisp/TRACE_HIDE_SEC_DATA = 1 |
icm/trace_secured_data = 0 | = | icm/trace_secured_data = 0 |
icm/accept_forwarded_cert_via_http = 0 | = | icm/accept_forwarded_cert_via_http = 0 |
icm/trusted_reverse_proxy_0 | Regex | ^.*(ISSUER|SUBJECT)[^*]+$ |
icm/server_port_0 | Regex | .*icm/server_port_0 = PROT=HTTPS.* |
icm/server_port_1 | Regex | .*icm/server_port_1 = PROT=HTTPS.* |
icm/server_port_2 | Regex | .*icm/server_port_2 = PROT=HTTPS.* |
This newly created Target System "WDPSEC" can be run against a dynamic Comparison List for Web Dispatcher systems:
For me, the following Operator Validation Report gave clear results:
After making the following optional visual adjustments to the report:
Removed rows (Context Menu - Remove Drilldown) | Added rows (Navigation Block - Free Characteristics - Drilldown in the Rows) | Filtered rows (Context Menu - Select Filter Value) |
|
|
|
it results in the following Web Dispatcher Security Report:
(For illustrative purposes the parameters "is/HTTP/show_server_header" and "icm/trace_secured_data" were changed to non-compliant values)
This is an exemplary way how the security configuration for standalone Web Dispatcher systems can be monitored.
Further ideas, suggestions for improvement or additions are welcome in the comments.
Reports in Configuration Validation are very technical but in most cases sufficient.
If you need a clearer, fiori-based dashboard view, you can use this report as a basis for further configuration in Dashboard Builder.
How to do that is explained in: How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder - Step: 4. Display Configuration Validation Report results in the Dashboard
¹ SAP Security Baseline Template Version 2.2 (2020-11): https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfo...
How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder: https://blogs.sap.com/2019/04/26/how-to-create-fiori-based-security-dashboards-in-solution-manager-d...
How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
10 | |
9 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 |