Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
kai_bauer
Explorer
3,439

Introduction

Web Dispatchers as a combination of software web switch, reverse proxy and gateway are in most cases the entry door between the Internet and backend systems. It is therefore important to have a sensible security configuration and to check it regularly.

In addition to my previous blog posts:

this article is intended to help overcome minor difficulties in the security monitoring of standalone (non-ABAP) Web Dispatchers in SAP Solution Manager and shows how to create a custom security monitoring report based on the SAP Security Baseline Template¹ Version 2.2.

 

Contents

This blog post is structured into the following parts:

  1. Web Dispatcher Security
  2. Security Monitoring in Solution Manager Configuration Validation
    1. Problem: It is not possible to validate the instance profile
    2. Workaround: Moving the security parameters to the Default Profile
    3. Exemplary security configuration in the Default Profile
    4. Building a Configuration Validation Target System
    5. Running the Target System against a dynamic Web Dispatcher Comparison List
    6. Result: Custom Web Dispatcher Security Report
       
  3. Addition: Presentation in a Security Dashboard

 

Web Dispatcher Security

According to the SAP Security Baseline Template, Web Dispatchers can be secured with the following parameters:

ParameterRecommended Value Description
is/HTTP/show_server_headerFALSEProhibits information disclosure by the Web Dispatcher Server Header.
is/HTTP/show_detailed_errorsFALSEProhibits information disclosure by Web Dispatcher Error Messages.
icm/SMTP/show_server_headerFALSEProhibits information disclosure by the Internet Communication Manager (ICM) Server Header.
icm/HTTP/auth_<x>PREFIX=/,PERMFILE=/<filepath>/permfile,FILTER=SAP

Enables URL Filtering through the Authorization Handler (ideally in the form of a URL Whitelist, so that everything else unknown will be blocked).

Web Dispatchers less than 7.31: Do an update urgently or use wdisp/permission_table instead.
icm/HTTP/admin_<x>1.) Should contain CLIENTHOST=<IP Adresse(s) of Admin Clients, semicolon separated>Restricts administrative access to a defined admin client.
icm/HTTP/error_templ_path/usr/sap/<SID>/<Instance>/data/icmerrorRedirects the disclosure of error information to an individual error page (this can be a blank one).
rdisp/TRACE_HIDE_SEC_DATA1Disables sensitive personal information such as security session cookies in HTTP request/response traces.
icm/trace_secured_data0Deactivates the display of HTTPS data packages in ICM traces.
icm/accept_forwarded_cert_via_http0Disables HTTPS certificate forwarding as HTTP header.
icm/trusted_reverse_proxy_<x>Should not contain wildcards (*) for SUBJECT or ISSUERTrusts only selected Reverse Proxys.
icm/server_port_<x>should contain PROT=HTTPS (instead of HTTP)Protects the Server Port using HTTPS.
wdisp/use_sap_vhost_for_dispatchingFALSEParameter has been removed in the current version of the template.

(Placeholders for System IDs, filepaths and ascending numbers are written as <Placeholder>.)

 

Security Monitoring in Solution Manager Configuration Validation

The compliance with these security parameters can be monitored using the SAP Solution Manager Configuration Validation application.

[A general introduction to Configuration Validation (what are comparison list, target system, configuration store & configuration items) can be found in the previous blog post How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder - Step: 3. Create a Configuration Validation Report]

 

Problem: It is not possible to validate the instance profile

For standalone Web Dispatchers (non-ABAP systems) the following Config Stores are available:

  • <SID>_<Instance>_<hostname> (Configuration of the Instance Profile)
  • DEFAULT.PFL (Configuration of the Default Profile)

By design, security parameters are configured in the Instance Profile. As you can see, this has a different name in each system (<SID>_<Instance>_<hostname>).

For an evaluation over several systems the Config Stores must have the same name (see Instance Profile Config Store "ABAP_INSTANCE_PAHI" in ABAP systems).

=> An evaluation across several Web Dispatcher systems is therefore only possible using the Default Profile.

This leads us to the following workaround:

 

Workaround: Moving the security parameters to the Default Profile

The following two security relevant parameters are located in the instance profile by default:

  • icm/server_port_<x>
  • icm/HTTP/admin_<x>

In the first step, these two must be moved to the Default-Profile

Problem: If the parameters are still used in the instance profile, the desired value of the default profile will be overwritten.

Recommendation: Write a reminder/reference to the relocated security configuration, such as:

 

#-----------------------------------------------------------------------

# SAP Web Dispatcher Security Configuration

#-----------------------------------------------------------------------

# For Monitoring with Solution Manager, the Security Configuration

# is located in the Default Profile (DEFAULT.pfl)

# Do NOT use the following Parameters in this Instance Profile:

# is/HTTP/show_server_header

# is/HTTP/show_detailed_error

# icm/SMTP/show_server_header

# icm/HTTP/auth_<x>

# icm/HTTP/admin_<x>

# icm/HTTP/error_templ_path

# rdisp/TRACE_HIDE_SEC_DATA

# icm/trace_secured_data

# icm/accept_forwarded_cert_via_http

# icm/trusted_reverse_proxy_<x>

# icm/server_port_<x>

#-----------------------------------------------------------------------

# SAP Web Dispatcher Ports

#-----------------------------------------------------------------------

# -> Default Profile (DEFAULT.pfl)

#-----------------------------------------------------------------------

# SAP Web Dispatcher Administration

#-----------------------------------------------------------------------

# -> Default Profile (DEFAULT.pfl)

#-----------------------------------------------------------------------

 

This ensures that there is no accidental double configuration. The rest of the security configuration can now be carried out in the Default Profile.

 

Exemplary security configuration in the Default Profile

An exemplary security configuration in the default profile could then look like this:

 

#-----------------------------------------------------------------------

# SAP Web Dispatcher Security Configuration

#-----------------------------------------------------------------------

# For Monitoring with Solution Manager, the Security Configuration

# is located in this Default Profile.

# Do NOT overwrite the following Parameters in the Instance Profile:

is/HTTP/show_server_header = FALSE

is/HTTP/show_detailed_errors = FALSE

icm/SMTP/show_server_header = FALSE

icm/HTTP/auth_0 = PREFIX=/,PERMFILE=/sapmnt/<SID>/profile/permfile,FILTER=SAP

icm/HTTP/error_templ_path = /usr/sap/<SID>/<Instance>/data/icmerror

rdisp/TRACE_HIDE_SEC_DATA = 1

icm/trace_secured_data = 0

icm/accept_forwarded_cert_via_http = 0

icm/trusted_reverse_proxy_0 = SUBJECT="",ISSUER=""

#-----------------------------------------------------------------------

# SAP Web Dispatcher Ports

#-----------------------------------------------------------------------

icm/server_port_0 = PROT=HTTPS,PORT=<Port>

#-----------------------------------------------------------------------

# SAP Web Dispatcher Administration

#-----------------------------------------------------------------------

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),CLIENTHOST=<IP address>

#-----------------------------------------------------------------------#

 

Building a Configuration Validation Target System

Now a corresponding Target System can be used to monitor whether the exemplary Default Profile configuration exists on all Web Dispatcher systems.

Since the Config Store "DEFAULT.PFL" is of type "Text", it is now time to work with regular expressions.

In my case, the following suggestion worked well:

 

Line ContentOperatorOperator Pattern
is/HTTP/show_server_header = FALSE=is/HTTP/show_server_header = FALSE
is/HTTP/show_detailed_errors = FALSE=is/HTTP/show_detailed_errors = FALSE
icm/SMTP/show_server_header = FALSE=icm/SMTP/show_server_header = FALSE
icm/HTTP/auth_0Regex.*profile/permfile,FILTER=SAP
icm/HTTP/admin_0Regex.*CLIENTHOST=.*
icm/HTTP/error_templ_pathRegex.*/data/icmerror
rdisp/TRACE_HIDE_SEC_DATA = 1=rdisp/TRACE_HIDE_SEC_DATA = 1
icm/trace_secured_data = 0=icm/trace_secured_data = 0
icm/accept_forwarded_cert_via_http = 0=icm/accept_forwarded_cert_via_http = 0
icm/trusted_reverse_proxy_0Regex^.*(ISSUER|SUBJECT)[^*]+$
icm/server_port_0Regex.*icm/server_port_0 = PROT=HTTPS.*
icm/server_port_1Regex.*icm/server_port_1 = PROT=HTTPS.*
icm/server_port_2Regex.*icm/server_port_2 = PROT=HTTPS.*

 

Running the Target System against a dynamic Web Dispatcher Comparison List 

This newly created Target System "WDPSEC" can be run against a dynamic Comparison List for Web Dispatcher systems:



For me, the following Operator Validation Report gave clear results: 

  • 0TPL_0SMD_VCA2_CITEMS_REF [Shows all configuration items (config stores and configuration items selectable]

 

Result: Custom Web Dispatcher Security Report

After making the following optional visual adjustments to the report:



Removed rows

(Context Menu - Remove Drilldown)


Added rows

(Navigation Block - Free Characteristics - Drilldown in the Rows)


Filtered rows

(Context Menu - Select Filter Value)


    • ConfigStore Name

    • Goto

    • Config Item




    • Cv. DataOperator




    • Compliance

        • Item not found

        • Yes





it results in the following Web Dispatcher Security Report:

(For illustrative purposes the parameters "is/HTTP/show_server_header" and "icm/trace_secured_data" were changed to non-compliant values)

This is an exemplary way how the security configuration for standalone Web Dispatcher systems can be monitored.

Further ideas, suggestions for improvement or additions are welcome in the comments.

 

Addition: Presentation in a Security Dashboard

Reports in Configuration Validation are very technical but in most cases sufficient.

If you need a clearer, fiori-based dashboard view, you can use this report as a basis for further configuration in Dashboard Builder.


How to do that is explained in: How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder - Step: 4. Display Configuration Validation Report results in the Dashboard

 

Sources and related content

¹ SAP Security Baseline Template Version 2.2 (2020-11): https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfo...

How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder: https://blogs.sap.com/2019/04/26/how-to-create-fiori-based-security-dashboards-in-solution-manager-d...

How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard...

Labels in this area