Technical Connectivity Guide INTERNAL
On-Demand Solutions from SAP
Document Version: 1.0 – 2012-04-18
Technical Connectivity Guide for
SAP Cloud Applications
Authors: Jörg Nalik, Andreas Wildhagen
Typographic Conventions
Type Style Description
Example
Words or characters quoted from the screen. These include field names, screen titles,
Example pushbuttons labels, menu names, menu paths, and menu options.
EXAMPLE Textual cross-references to other documents.
Example Emphasized words or expressions.
Example Technical names of system objects. These include report names, program names,
<Example> transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
EXAMPLE
Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
Keys on the keyboard, for example, F 2 or E N T E R .
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
2 © 2012 SAP AG. All rights reserved. Typographic Conventions
Document History
Before you start working with this document, make sure you have the latest version. You can find the latest
version on the Business Center for On-Demand Solutions from SAP.
For questions and feedback, please contact the authors:
[email protected] or [email protected].
Version Date Change
1.0 2012-01-30 Initial version
1.1 2012-02-29 Copy-edited version; no content changes – final draft version
1.2 2012-06-25 New template applied; released for CUSTOMER; no content changes
Technical Connectivity Guide for SAP Cloud Applications Error! Reference source not found.
Document History © 2012 SAP AG. All rights reserved.
3
Table of Contents
1 Introduction..............................................................................................................................................6
2 Connectivity Architecture .......................................................................................................................8
3 Network Services Requirements.............................................................................................................9
4 Reference Landscape............................................................................................................................. 13
4.1 Reference Scenario ............................................................................................................................................... 14
4.2 Secure Communication Using SSL...................................................................................................................... 14
4.2.1 SAP Web AS Consumes SAP Cloud Service....................................................................................... 16
4.2.2 SAP Cloud Consumes SAP Web AS Service....................................................................................... 17
4.3 Landscape Variations (Examples) ....................................................................................................................... 19
4.3.1 High Security Landscape...................................................................................................................... 19
4.3.2 Alternative Landscape..........................................................................................................................20
5 Procedure Model .................................................................................................................................... 21
5.1 Preparation ............................................................................................................................................................ 21
5.2 Install Web Dispatcher and Crypto Libraries ...................................................................................................... 21
5.3 Enable SSL on SAP Web AS and SAP Web Dispatcher......................................................................................22
5.3.1 Import Certificates in SAP Web AS ABAP Trust Manager ................................................................22
5.3.2 Create Self-Signed SSL Server Certificate on SAP Web AS .............................................................24
5.3.3 Create CA-Signed SSL Server Certificate on SAP Web Dispatcher.................................................27
5.3.4 Import SAP Web AS Server Certificate into SAP Web Dispatcher’s Trust Manager ......................27
5.3.5 Import SAP Web Dispatcher’s Client Certificate into SAP Web AS ABAP Trust
Manager .................................................................................................................................................28
5.4 Configure Network Components .........................................................................................................................28
5.4.1 Configure Firewall Settings ..................................................................................................................28
5.4.2 Configure URL Filter and Rewrite Rules on SAP Web Dispatcher ....................................................29
5.4.3 Client Certificate Handling with SAP Web Dispatcher.......................................................................32
5.4.4 Example SAP Web Dispatcher Configurations...................................................................................32
5.4.5 Configure Settings on Additional Connectivity Components ...........................................................33
5.5 Define Certificate to User Mapping in SAP Web AS ...........................................................................................33
5.5.1 Preparation............................................................................................................................................33
5.5.2 Define Mapping .....................................................................................................................................33
5.6 Perform Connectivity Tests..................................................................................................................................34
5.7 Selected Application Integration Topics .............................................................................................................35
5.7.1 Verify SSL Support on SAP Web AS and SAP Web Dispatcher........................................................35
5.7.2 SAP Web Dispatcher Performance Tuning.........................................................................................35
5.7.3 Configure SSL on HTTP Destinations Using SM59............................................................................35
5.7.4 Configure SSL for IDOC over SOAP ....................................................................................................36
5.7.5 Signing Certificate Requests using SAP Trust Service......................................................................36
5.7.6 Configure SSL using SOA Manager.....................................................................................................38
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
4 © 2012 SAP AG. All rights reserved. Table of Contents
6 SAP Supported Certification Authorities............................................................................................ 40
6.1 Valid Trusted CAs ................................................................................................................................................. 40
6.2 Valid CAs for Signing Server Certificates ........................................................................................................... 40
6.3 Valid CAs for Signing Client Certificates..............................................................................................................41
7 Further Reading .................................................................................................................................... 43
7.1 Guidelines .............................................................................................................................................................. 43
7.2 Product Documentation....................................................................................................................................... 43
7.3 SAP Developer Network....................................................................................................................................... 44
7.4 SAP Press Books................................................................................................................................................... 44
7.5 SAP Notes.............................................................................................................................................................. 44
Technical Connectivity Guide for SAP Cloud Applications Error! Reference source not found.
Table of Contents © 2012 SAP AG. All rights reserved.
5
1 Introduction
This document gives an overview of technical connectivity for SAP on-demand (OD) applications that are
integrated with existing customer SAP on-premise (OP) products, such as SAP ERP.
Caution
This document recommends how to set up the technical connectivity for SAP on-demand (OD)
applications that are integrated with existing customer SAP on-premise (OP) products, such as SAP ERP.
SAP is not liable for any consequences or damages resulting from the use of this document.
The following are examples of these “hybrid landscape solutions”:
SAP Cloud for Customer with SAP ERP or SAP CRM integration
SAP Cloud for Travel with SAP ERP and/or SAP HCM integration
SAP Business ByDesign for Large Enterprise Subsidiaries
In contrast to application integration within one data center, the integration of application components in hybrid
landscapes requires the penetration of network security perimeters of the customer data center and the cloud
environment, connectivity via wide area networks (WAN) of the internet (as opposed to just LAN - local area
network - connectivity) and network traffic encryption for security.
In this document, we describe the following:
The minimal list of required network services for supporting hybrid-landscape-based applications
Further network services which can be considered for additional reliability and security
An application/network reference architecture
A concrete implementation example with detailed configuration guide based on the SAP Web Dispatcher.
Target Group
This document is intended for project managers and network and security experts, as well as SAP technology
experts working on integrating an SAP Cloud product with the customer’s on-premise SAP application landscape.
We recommend that SAP application project teams use this document to clearly communicate with customer
network and security IT groups in order to coordinate the necessary work.
Scope
The focus is on applications built on the SAP Business ByDesign platform delivered to customers. From the
product portfolio, it is intended for SAP Cloud for Customer, SAP Cloud for Travel, SAP Business ByDesign in
Subsidiaries – and applications with similar characteristics.
This document does not cover the following issues:
End-user - meaning browser and mobile - technical connectivity with SAP Cloud.
Single sign-on and identity management.
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
6 © 2012 SAP AG. All rights reserved. Introduction
Implications of data privacy laws in the various countries where you operate.
Assumptions and Prerequisites
You plan to integrate an SAP Business Suite system, such as SAP ERP, with an SAP Cloud Solution.
You have access to SAP Service Marketplace; that is, you have S-user access to SAP Service Marketplace.
You have access - that is, you have licenses - for the download of SAP NetWeaver technology components
from the SAP Software Download Center.
You know experts who can configure SAP systems on operating system and SAP Basis level.
Your company security policy allows for communication between your on-premise SAP systems and SAP
Cloud environment over the internet.
You have the means to obtain public IP addresses and Domain Name Service entries visible on the public
Internet.
Technical Connectivity Guide Error! Reference source not found. 7
Introduction © 2012 SAP AG. All rights reserved.
2 Connectivity Architecture
Your network infrastructure is extremely important for reliable integration of your application components and
services, and to ensure that they are fully secured and perform well. Reliability is needed for uninterrupted
availability of your application. Security is needed to protect your confidential business data. Good performance is
needed to save costs and to satisfy end users with a good usage experience. Security can be further broken down
into the areas of data access, data transport, and data storage. While security of data storage is taken care of
through backup and similar measures on the application side, data access and transport security is a service of
your network infrastructure.
A well-defined network topology can eliminate many security threats based on software flaws (at both the
operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your
application or database servers at the operating system or database layer, then there is no way for intruders to
compromise machines and gain access to the SAP System database or files. Additionally, if users are not able to
connect to the server LAN, they cannot exploit well-known bugs and security holes in operating systems on the
server machines.
Again, your strategy and your priorities are the most important factor in deciding what level of security is
necessary for your network infrastructure. We offer general recommendations when establishing your network
topology, which include using a firewall and other intermediary devices - such as the SAP Web Dispatcher and the
SAProuter - to protect your local network. To protect SAP system communications at the transport layer, the SAP
NetWeaver products support the use of the Secure Sockets Layer (SSL) protocol and Secure Network
Communications (SNC).
Note
Depending on your current situation, you may want to modify the described secure network setup to fit
your needs. We offer such suggestions and recommendations at various security levels. If the plan
described here does not fit your needs, contact our consultants, who are also available to assist you in
setting up your network securely.
For more information, see also the SAP NetWeaver Network Security Guide:
On SAP Service Marketplace at: https://service.sap.com/security
On the SAP Help Portal, for example, for SAP NetWeaver 7.3 EHP1 at:
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/0a/0a2e00ef6211d3a6510000e835363f/content.ht
m
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
8 © 2012 SAP AG. All rights reserved. Connectivity Architecture
3 Network Services Requirements
Technical networks are essential complements to your business applications, and the reason why most big
companies have a dedicated IT network group. Networks are typically described as OSI Layer 1 through 7
architectures, starting with cabling, switching, and routing as layers 1 through 3, which we are not covering in this
document. It is essential that you work with your network group to arrange proper network connectivity within
your data center and to your company’s Internet Service Provider (ISP).
Many companies also have a dedicated IT security group that governs security as a whole across different
technology layers like application, storage, networks, and more. Ultimately, when you connect your on-premise
systems to on-demand systems, the triumvirate of application, network, and security groups in your organization
need to collaborate and be involved.
Looking beyond OSI Layer 1-3 network basics, your company’s network should provide network services, which
support reliability, security, and good performance for your productive application operation. There is a wide
range of such network services - considered part of the OSI Layers 4 through 7 – available, examples of which you
can see in the table below:
This document focuses on the essential network services requirements. These services are mostly related to the
security of your business data and business application operation. Typically, your data center is a well-guarded
physical environment where your OP SAP applications are placed in an inner security zone. The Local Area
Network (LAN) of that zone has to be strictly separated from the public internet, which is achieved using a
“demilitarized” (DMZ) network zone at the “edge” of your data center to outside public networks.
NC-1: No direct network connection from public networks to OP SAP applications shall be allowed.
This recommendation gives rise to the need for network services inside the DMZ, which terminate network
connections from the inner and the outer networks.
For the outbound traffic of your data center, the term “proxy” is commonly used for such network services. The
inbound traffic is guarded by “reverse proxies”. The inner security zone, the DMZ, and public networks are
separated by firewalls which act as filters of network traffic and allow only the desired traffic to pass. Firewalls and
proxies together provide the necessary access control to OP application data from the outside, as well as send
control of OP application data exposed to the outside.
Firewalls typically work as in-line devices which filter out undesired network traffic without terminating network
connections. Proxies do terminate connections, which allows them to hide the inner network topology of your data
center from the outside world. Proxies and reverse proxies often provide higher level traffic-filtering functions, and
Technical Connectivity Guide Error! Reference source not found. 9
Network Services Requirements © 2012 SAP AG. All rights reserved.
they can transform the network traffic content: for example, they can decrypt secure traffic into clear text traffic.
This is their most common use, and it is described in more detail in the following sections.
The minimal overall network topology is shown in the figure below. (Note: we use the term “proxy” as an umbrella
term for both proxy and reverse proxy.)
System of Record
The OnPremise side and the OnDemand side are like two fortresses, one operated by your company and the other
by SAP. While both ends are secure, the public internet in between them is not. Your business data sent between
both locations needs to be confidential. This leads to the following simple, but strongly recommended, guideline:
NC-2: All business application network traffic transmitted via Wide Area Networks shall be encrypted.
The following sections describe in more detail how application traffic can be encrypted by either the application
server or the (reverse) proxies, or both.
A common way to make it difficult to break into your inner network is to hide the inner security zone topology from
the outer world – a bit like lowering the blinds on your windows so that nobody can look inside your house.
Network topology is made up of IP addresses, server hostnames, network ports, and more. The main purpose of a
reverse proxy is to expose only a defined set of public URLs of your company to the outside world - like
https://mycompany.com:443/serviceX - and to then route incoming https requests to the application server,
which provides services. Therefore, the reverse proxy has to perform URL transformations between public URLs
and the URLs used in the inner security zone of your data center.
Note
These URL translations should also be performed on the outgoing responses, otherwise the outside On
Demand application could not use address references in a response and secondly, information about your
inner security zone network technology might be accidentally sent to the outside world.
A proxy has a similar function as a reverse proxy, just that in this case the OP application is the one sending a
request to a public URL on the On Demand side. The URL transformation task - often also referred to as URL
rewriting - is analog to the reverse proxy case. In summary:
NC-3: Inner network security zone topologies - in particular IP addresses and host names of the application
servers - should be kept confidential and hidden from the outside world and even trusted business partners,
represented by the On Demand side, through the use of proxies and reverse proxies which perform TCP/IP
protocol level connection termination and URL translations.
After covering security considerations, you should also consider the reliability of your overall business application
solution. When implementing proxy and reverse proxy solutions you should be aware that if they break,
connectivity will be disrupted, which would mean an important part of your business application would experience
downtime, even if the application servers were working perfectly. Therefore, it is important to consider high
availability (HA) deployment of your proxy solutions, and you should implement enough computing capacity for
the proxies for your expected workload.
For an example of an HA setup and capacity sizing of the SAP Web Dispatcher that can be used as reverse proxy,
see the following document:
https://service.sap.com/~sapdownload/011000358700001869252005E/SAPWebDispatcher.pdf
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
10 © 2012 SAP AG. All rights reserved. Network Services Requirements
NC-4: Consider high availability deployments and appropriated computing capacity sizing of your proxy and
reverse proxy solutions.
The third requirement category to check is performance. Http request response times over WANs are, in most
cases, significantly longer than in local area networks, due to bandwidth, latency, and packet loss constraints of
the WAN.
For more information, see Testing Secure Enterprise SOA Applications Across Wide Area Networks without
Leaving the Lab in the SAP Developer NetWork at:
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00aa0f0b-3c4d-2a10-5593-a57beda851c0 This
document also describes how you can perform combined application/network tests. A second impact on
performance is that security and reliability services cause extra processing demands compared to a LAN
connection. Both performance impacts can be mitigated to some extent through proper performance tuning of
your proxy and reverse proxy implementation.
A major factor for increased WAN response times is the need to undergo handshake processing when
connections on TCP/IP level and for establishing SSL sessions are performed. The frequency with which some
handshakes are needed can be lowered by using the http 1.1 through proxy standard. All network and application
services following that standard allow configuration of a connection timeout parameter, which is often named
keep-alive. Choosing a higher keep-alive value - maybe 60 seconds or more - lowers the frequency of opening new
connections and improves overall average response times.
NC-5: All network and application services should support the http 1.1 through proxy standard and the
connection timeout configuration parameter should be tuned for improving average response times.
On the computing resource side, it should be noted that proxies and reverse proxies often offload network
protocol-related processing from the application servers. Even if that offloading may only be a few percent of the
overall application processing, it might be worthwhile doing in large application environments, because
application server TCO is usually much higher than network services TCO. The prime example for offloading
would be to terminate an SSL session at the proxy/reverse proxy, and to use a clear text connection between
them and the OP application server. However, such performance optimization is only possible if it does not
conflict with the security rules of your company, which, for instance, might require end-to-end traffic encryption.
Other process offloading capabilities are known, but their availability depends on the network service products
you’d like to use.
This concludes the minimal requirement section. In addition, there is a larger range of network services known
which can further improve the reliability, security, and performance of your OP-OD integration.
A more general class of network services products is referred to as Application Deliver Controllers (ADC). ADCs
typically include proxy and reverse proxy capabilities but they offer also other services, most prominently to
mention load balancing. Load balancing of inbound traffic to application servers is essential for enabling HA and
scale out deployments of application servers themselves. As a side effect, Load Balancers also function almost as
reverse proxies, which means that both functions can be deployed as one product instance. A good example of
such an ADC solution is the SAP Web Dispatcher product. In addition, load balancing to the outbound traffic side
is possible, for instance if your company maintains multiple connections to the internet from different internet
service providers. This way a more reliable internet access can be achieved.
The list of further additional ADC services is long. Here are some examples:
Defense against distributed denial of service attacks (DDoS attacks)
Blacklist/whitelist URL filtering
Traffic content and rule-based security filters
Further TCP/IP protocol optimization and offloading capabilities in addition to the ones described above
Bandwidth management capabilities for prioritizing your application traffic (maybe over YouTube traffic)
Technical Connectivity Guide Error! Reference source not found. 11
Network Services Requirements © 2012 SAP AG. All rights reserved.
Different network vendors bundle different capabilities into their ADC products. SAP maintains partnering
relations with most industry-leading network vendors, and have certified some of their products as shown in the
following figure:
You find an up-to-date list of SAP certified network products at:
http://www.sap.com/ecosystem/customers/directories/searchpartner.epx.
You may search for SAP-defined integration scenarios: ESOA-AW-PO, ESOA-AW-RA and ESOA-AW-SEC to find
certified solutions for the areas reliability (RA), security (SEC), and performance (PO), or you might search by
your preferred network vendor company name.
Many network products are also listed on the SAP Ecohub at http://ecohub.sap.com.
The following document provides generic information about network products of some vendors:
http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7447
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
12 © 2012 SAP AG. All rights reserved. Network Services Requirements
4 Reference Landscape
Note
For the sake of simplicity, the reference landscape used in this document uses few network zones.
Depending on the complexity and security requirements of your own landscape, you may need to use
additional zones, and add or replace components.
The following figure depicts the reference landscape for SAP on-demand / on premise technical connectivity
based on HTTPS and secure proxy / reverse proxy components.
The diagram contains the following elements in the customer landscape:
(1) SAP Web Application Server. For on demand / on premise communication, the SAP Web Application
Server can act as the client calling the SAP OnDemand environment, or it can act as the server where SAP
OnDemand environment invokes the SAP Web AS in the customer landscape.
(2) A firewall separates the high security area with the SAP Web Application Server, Database Management
System, and so on, from the demilitarized zone (DMZ).
(3) SAP Web Dispatcher acts as HTTP / HTTPS reverse proxy for calls from external the customer landscape
to (1).
(3’) A transparent HTTP(S) proxy forwards communication from SAP Web AS (1) to locations external to the
customer landscape.
(4) A firewall separates the public internet from the customer DMZ.
The above diagram shows a schematic topology of SAP Cloud Solutions in the SAP OnDemand Landscape:
(5) A firewall separates the public internet from the SAP OnDemand Landscape (“SAP Cloud”).
(6) An application delivery controller provides proxy / reverse proxy and additional security capabilities.
(7) A firewall separates the DMZ from the high security zone in the SAP OnDemand landscape.
(8) SAP OnDemand application services are operated in high security network zones.
Technical Connectivity Guide Error! Reference source not found. 13
Reference Landscape © 2012 SAP AG. All rights reserved.
4.1 Reference Scenario
In the fictitious reference scenario, SAP Web AS (1) provides a service over HTTPS, such as an IDOC over SOAP
(inbound) endpoint or a Web Service. This service is consumed by SAP OnDemand (8).
SAP OnDemand (8) exposes a service over HTTPS, for example, an IDOC over SOAP or Web Service end point.
SAP Web AS
SAP Web AS (1) resides in the high security network zone. Let the internal host name be
mysapwebas.secure.mycompany.corp. This host has neither a public IP address nor a public DNS entry.
By default, SAP Web AS inbound port is 443$$ where $$ represents the systems “instance ID”.
The instance ID of the system in the reference landscape is 00. Web AS (1) in the reference landscape uses
default NetWeaver SSL port 44300.
A SAP Web AS instance (1) with host name webapi.mycompany.com processes HTTPS requests from SAP Cloud
(8). This host shall process incoming IDOC messages in client 311 using the IDOC / SOAP channel.
The default URL for this service then is
https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.
We hide internal implementation details such as SAP Web AS (8) host name, service path etc. for communication
from the public Internet. Instead, we use a “descriptive URL” for this service:
https://webapi.mycompany.com:443/sapcloudapi/idoc
SAP Cloud
Our reference scenario implements a distributed business scenario with process integration between SAP Web
AS (1) and SAP Cloud (8). SAP Cloud (8) exposes an “IDOC over SOAP” inbound end-point. SAP WeB AS (1)
sends IDOCs over SOAP to this end point. In the perspective of SAP Cloud (8) this is an inbound communication.
SAP Cloud (8) exposes the service end point URL
https://my12345.solution.ondemand.com/api/mywebservice.
Note
In practice, an integration scenario will be based on several interfaces. For brevity and simplicity, we stick
to these two communication links – that is, SAP Web AS (1) consumes a service in the SAP Cloud (8) and
SAP Cloud (8) consumes a service in SAP Web AS (1).
The reference scenario uses communication based on HTTPS using X.509 client certificates.
4.2 Secure Communication Using SSL
Communication over the public internet must be encrypted to protect data against eavesdropping and
manipulation.
The communication between SAP OnDemand and SAP Web AS shall be protected using Secure Socket Layer
(SSL).
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
14 © 2012 SAP AG. All rights reserved. Reference Landscape
For calls from SAP Web AS (1) to SAP OnDemand (8), end-to-end SSL shall be used. A transparent HTTP(S) proxy
(3') passes the requests without terminating SSL.
For calls from SAP OnDemand (8) to SAP Web AS (1), SSL shall be used. SAP OnDemand (8) connects to SAP
Web Dispatcher (3) using SSL. SAP Web Dispatcher (3) terminates SSL.
SAP Web Dispatcher (3) verifies client certificates, performs request filtering, URL rewriting, and load balancing.
SAP Web Dispatcher should use SSL to connect to SAP Web AS (1) here marked as SSL2.
SAP Web Dispatcher (3) adds information contained in the X.509 client certificate to HTTP headers to enable user
X.509 to mapping in (8). For more information about this feature, see section X.509-Based Logon to NW AS from
SAP Web Dispatcher in the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/76/6d4fa247d0d647b5bd40745400d873/frameset.htm
Note
The use of encryption on link SSL1 is paramount. The communication between SAP Web Dispatcher (3)
and SAP Web AS (1) typically resides inside customer premises and networks. Some customers may
choose performance over security and choose not to encrypt data on link SSL2. For security reasons, you
should use SSL for SSL2 also.
This is option 4 described in SAP Web Dispatcher documentation on help.sap.com in section SAP Web
Dispatcher and SSL:
http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.ht
m
also
Technical Connectivity Guide Error! Reference source not found. 15
Reference Landscape © 2012 SAP AG. All rights reserved.
Image source: help.sap.com
Note
You must use SSL for any communication over public networks.
In test environments, you should at least use anonymous SSL with basic authentication.
In production environments, you should use SSL with X.509 client certificate-based authentication on SSL1, SSL2
and SSL3.
You find an overview of SAP Web AS (1) and SSL in section Using the Secure Sockets Layer Protocol with the
AS ABAP in the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm
You find an overview of how to enable SAP Web Dispatcher for SSL support in section “Configuring the SAP
Web Dispatcher to Support SSL” in the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm
4.2.1 SAP Web AS Consumes SAP Cloud Service
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
16 © 2012 SAP AG. All rights reserved. Reference Landscape
Communication from SAP Web AS (1) to SAP OnDemand (8)
SAP OnDemand (8) exposes a resource https://my12345.solution.ondemand.com/api/mywebservice
The communication from SAP Web AS (1) is mediated through a transparent HTTP(S) proxy (3’) with the proxy
address proxy.mycompany.corp:8080. A transparent proxy does not terminate SSL.
SAP Web AS (1) acts as SSL client for SAP Cloud (8); hence SAP Web AS (1) must establish a trust relationship
with SAP Cloud (8). For this, you need to import the root certificate of the Certificate Authority (CA) that has
singed the SSL Server Certificate of SAP Cloud (8) into the used SSL Client PSE used for communication. See
also section 6.1.
For HTTP(S) communication from SAP Web AS (1) to SAP Cloud (8) we use proxy address in SOA Manager or
SM59 HTTP destinations to proxy.mycompany.corp:8080.
Note
Productive environments should increase security by using X.509 client certificates.
4.2.2 SAP Cloud Consumes SAP Web AS Service
Communication from SAP Cloud to SAP Web AS (1)
Let SAP Web AS (1) have a host name mysapwebas.secure.mycompany.corp. As there is no direct access from
locations outside the external to SAP Web AS (1), SAP Web AS (1) does not have a public DNS address or a public
IP address.
Let SAP Web AS (1) expose a web resource under the internal URL
https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.
Note
For a SAP instance with ID 00, the SAP default port is 44300 rather than well-known port 443.
For accessing this resource from the SAP Cloud, use the following public resource (visible from SAP Cloud):
https://webapi.mycompany.com:443/sapcloudapi/idoc
Technical Connectivity Guide Error! Reference source not found. 17
Reference Landscape © 2012 SAP AG. All rights reserved.
Note
SAP Cloud only supports HTTPS over port 443. Verify deviating requirements.
SAP Web Dispatcher (3) acts as Reverse Proxy for SAP Web AS (1)
Calls from SAP Cloud to (1) use the following URL:
https://webapi.mycompany.com:443/sapcloudapi/idoc.
Provide a public DNS (Domain Name Service) entry for host name webapi.mycompany.com pointing to the public
IP address of SAP Web Dispatcher (3).
SAP Web Dispatcher (3) terminates SSL. Therefore, SAP Web Dispatcher (3) needs an SSL Server Certificate for
the host name webapi.mycompany.com.
The SSL Server Certificate of SAP Web Dispatcher (3) for host name webapi.mycompany.com must have been
signed by a Certification Authority (CA) to which SAP Cloud has declared a trust relationship.
SAP Web Dispatcher (3) establishes a separate SSL connection SSL2 to SAP Web AS (1) where SAP Web
Dispatcher (3) acts as SSL client and SAP Web AS (1) acts as SSL server. SAP Web Dispatcher (3) must have a
trust relationship to the SSL Server Certificate maintained in SAP Web AS (1).
SAP Web Dispatcher rewrites the URL and forwards the HTTP call to the URL:
https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311 – secured using SSL.
To act as SSL server, SAP Web AS ABAP (1) also needs an SSL Server Certificate. In a simple configuration, SAP
Web AS (1) has a self-signed SSL server certificate and SAP Web Dispatcher (3) has a declared trust relationship
to SAP Web AS (1) by importing SAP Web AS (1) server certificate’s public key in its trust manager.
To use SSL with client-certificate-based authentication in SAP Web Dispatcher (3), configure SAP Web AS (3) to
enable or enforce client certificates by maintaining profile parameter icm/HTTPS/verify_client on SAP Web
Dispatcher. By default, client certificates are enabled but not enforced.
For more information, see section icm/HTTPS/verify_client in the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/0d/88153a1a5b4c2de10000000a114084/content.htm
The SAP Cloud client certificates used for this communication can be exported from SAP Cloud (8). The client
certificates need to be signed by a trusted certification authority. Import the respective CAs root certificate (for all
CAs in the certificate chain) in Web Dispatcher’s the SSL Server Standard PSE so that Web Dispatcher (3) can
verify the validity of client certificate.
For example: SAP Business ByDesign uses client certificates issued by SAP Trust Community (see section 5.5
Define Certificate to User Mapping in SAP Web AS for an example).
Note
If you do not terminate SSL on SAP Web Dispatcher (3) but on SAP Web AS (1), you need to perform the
previous steps only on SAP Web AS (1).
You map the client certificate to a local user account in the respective client of the SAP System of SAP Web AS
(1). For more information, see section 5.5 Define Certificate to User Mapping in SAP Web AS.
Firewall (4) must pass through calls from SAP Cloud to webapi.mycompany.com, that is, for HTTPS traffic
originating from the proxy server(s) / application delivery controller (6) in the SAP Cloud. You should restrict
communication by activating source IP filtering.
Note
To enable Source IP filtering on firewall (4), request the source IP address range for the proxy servers of
the data center(s) operating your SAP Cloud solution.
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
18 © 2012 SAP AG. All rights reserved. Reference Landscape
SAP Web Dispatcher performs a URL filter and URL rewrite – so that only calls from SAP Cloud with the allowed
URLs can pass.
SAP Web Dispatcher (3) rewrites
https://webapi.mycompany.com:443/sapcloudapi/idoc
to
https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.
Configure firewall (2) to enable connections from SAP Web Dispatcher (3) to SAP Web AS (1) on port 44300 as
SAP Web Dispatcher (3) to forward calls from
webdispatcher.dmz.mycompany.corp on port 443 to
mysapwebas.secure.mycompany.corp on port 44300.
4.3 Landscape Variations (Examples)
4.3.1 High Security Landscape
High Security Landscape using Zones, Firewalls and SAP Web Dispatcher for SAP System Load Balancing and
additional Application Delivery Controller
The following example shows a landscape with additional zones and security components:
(3a) An additional firewall separates the inner DMZ and outer DMZ. SAP Web Dispatcher is moved into the inner
DMZ.
(3b) An application delivery controller is intersected between the public Internet and SAP Web Dispatcher in the
outer DMZ. The application delivery controller can offer advanced security capabilities, such as Denial of Service
(DoS) detection.
For more information, see the SAP NetWeaver 7.0 NetWork Security Guide at:
http://help.sap.com/saphelp_nw70/helpdata/en/9d/44d7bc73ddce4f96f09de874350e78/frameset.htm
Technical Connectivity Guide Error! Reference source not found. 19
Reference Landscape © 2012 SAP AG. All rights reserved.
4.3.2 Alternative Landscape
The following diagram shows a reduced landscape. If you compare it to the reference landscape shown above, the
application delivery controller (3b) replaces SAP Web Dispatcher and acts as reverse proxy and (3’) acting as
transparent HTTP(S) proxy.
For calls from SAP OnDemand (8) to SAP Web AS (1), the application delivery controller (3b) terminates SSL. The
Application Delivery Controller can perform filtering, URL rewriting and content inspection.
For calls from SAP Web AS (1) to SAP OnDemand (8), the application delivery controller (3b) acts as transparent
HTTP(S) proxy.
HTTP(S) HTTP(S)
RR R R RR
SAP Web AS R R Application R Application SAP
Delivery Delivery R R OnDemand
1 2 Controller R 4 5 Controller
78
3b 6
Security Area DMZ HTTPS
Internet
Customer Landscape SAP OnDemand Landscape
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
20 © 2012 SAP AG. All rights reserved. Reference Landscape
5 Procedure Model
5.1 Preparation
Obtain SAP Web Dispatcher from SAP Service Marketplace
Obtain SAP Crypto Libraries from SAP Service Marketplace
Download Root CA Certificate(s)
Define network topology
o Document / define in which network zones Web AS ABAP, SAP Web Dispatcher and other connectivity
devices reside
o Define internal / external host names and URLs
o Derive URL filter and mapping rules
o Define IP filter rules
Request IP addresses, URLs and DNS entries
Request communication user(s) in the SAP System (1) used for communication from (8) to (1).
Note
The source IP address of communication originating in SAP OnDemand (8) may use a different IP address
than the IP address resolving of the host name of communication targeting SAP OnDemand (8). Make
sure you obtain the IP address range of the SAP Data Center hosting your SAP OnDemand application
service (8). Apply these IP address range in your IP filter rules.
5.2 Install Web Dispatcher and Crypto Libraries
1. Install SAP Web Dispatcher on a machine in the defined network zone. In the reference landscape, this is the
DMZ. In SAP Security Guide, it is the inner DMZ.
2. Configure SAP Web Dispatcher (3) to support SSL as described in the section Configuring the SAP Web AS
for Supporting SSL in the SAP NetWeaver 7.3 Library at:
http://help.sap.com/saphelp_nw73/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm
For more information about how to configure SAP Web Dispatcher to terminate SSL and other options, see
section Configuring the SAP Web Dispatcher to Support SSL in the SAP NetWeaver 7.3 Library at:
http://help.sap.com/saphelp_nw73/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm.
In our reference scenario, we terminate SSL on SAP Web Dispatcher. In the above section, this is described as
option 4.
3. Configure SAP Web AS (1) to support SSL as described in section Using the Secure Sockets Layer Protocol
with the AS ABAP in the SAP NetWeaver 7.3 Library at:
http://help.sap.com/saphelp_nw73/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm
Technical Connectivity Guide Error! Reference source not found. 21
Procedure Model © 2012 SAP AG. All rights reserved.
4. Configure URL filters and rewrite rules.
Note
For more information about the required SSL certificates, see the next section Enable SSL on SAP Web
AS and SAP Web Dispatcher.
Note
SAP Web Dispatcher needs an external DNS entry and IP address. SAP Cloud must be able to access SAP
Web Dispatcher on standard HTTPS port 443.
SAP Web Dispatcher also needs access to the HTTPS port configured in SAP Web AS ABAP. By default, this is
443$$, where $$ represents the system’s instance ID (which can also be found in Web AS ABAP’s instance profile
using transaction RZ10).
Note
Make sure that you have installed and enabled SAP Crypto Libraries.
5.3 Enable SSL on SAP Web AS and SAP Web Dispatcher
In the reference landscape, SAP Web Dispatcher (3) terminates SSL for calls originating in SAP Cloud (8) directed
to SAP Web AS (1).
For calls from SAP Web AS (1) to SAP Cloud (8), SAP Web AS ABAP (1) uses a transparent HTTP(S) proxy that
does not terminate SSL.
SAP Web AS (1) needs to maintain trust relationship to a supported Root CA that has signed the SAP Cloud’s (8)
SSL Server Certificate.
SAP Web Dispatcher (3) needs an SSL Server Certificate signed by one of the Certification Authorities to which
SAP Cloud has maintained a trust relationship.
SAP Web AS ABAP (1) needs a self-signed SSL server certificate. Alternatively, a signed SSL server certificate can
be used.
On SAP Web Dispatcher (3), you need to maintain a trust relationship to SAP Web AS ABAP (1).
5.3.1 Import Certificates in SAP Web AS ABAP Trust Manager
In a test landscape, you can use SSL with basic authentication (user name and password):
o On SAP Web AS (1), create a PSE for SSL Client (Anonymous).
o In this PSE import, the CA Root Certificate (see section 6.1 Valid Trusted CAs), for example,
sureserver_ev_roots.cer that you have downloaded from
https://secure.omniroot.com/support/sureserver/rootcert.cfm
In a productive environment, you should use SSL with client certificate authentication (to use certificate-
based logon to the SAP cloud):
o Use an existing PSE (such as SSL Client Standard) or create a new one – for example, a dedicated PSE in
SAP Web AS ABAP (1) for SAP Cloud: Use transaction SE16 to create a new entry in table STRUSTSSL.
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
22 © 2012 SAP AG. All rights reserved. Procedure Model
The following screenshot shows a new entry with Identity SAPOD.
o On SAP Web AS (1), use transaction STRUST to create a PSE for SSL Client (SAP Cloud) or create or
reuse the default PSE SSL Client (Standard).
Note
A missing PSE is marked with a red cross. Use right-mouse-click > Create to create the PSE. To select
and open a PSE, double click the PSE name in the trust manager’s navigation tree on the left-hand side.
The selected PSE is indicated in the Detail section’s group title. For example, in the screenshot below it is
labeled as “SSL client SAPCloud …”
o Create a certificate request for this PSE.
o Use one of the supported Certification Authorities to sign the certificate request and obtain the certificate
response in PCKS#7 Certificate Chain format in base 64 encoding. For more information, see section 6.3.
Valid CAs for Signing Client Certificates.
o Import the certificate response into the same PSE.
o In this PSE, import the CA Root Certificate (see section 6.1 Valid Trusted CAs) - for example.
sureserver_ev_roots.cer - that you have downloaded from
https://secure.omniroot.com/support/sureserver/rootcert.cfm
o Make sure the right PSE is selected by verifying the detail section’s group title – in the screen shot
below “SSL client SAPCloud…”
o In the group labeled “Certificate”, use the “import from file” function and import the CA’s root
certificate file (*.cer, base64 encoded). Verify the certificate by checking Owner, Issuer, Validity.
o Then choose Add to Certificate List.
o Verify that the certificate shows up in the certificate list. In the screenshot below, “GTE CyberTrust …”
and “Cybertrust SureServer…” have been imported to the certificate list.
Technical Connectivity Guide Error! Reference source not found. 23
Procedure Model © 2012 SAP AG. All rights reserved.
o Save changes.
o Perform a soft reset of ICM to activate the changes. (SMICM > Administration > ICM > Soft Reset >
Local).
5.3.2 Create Self-Signed SSL Server Certificate on SAP Web AS
On SAP Web AS (1), create a PSE for SSL Server (Standard) – resulting in a self-signed SSL Server Certificate. For
the SAP Web AS Instance to be used for as SAP Web AS (1), derive the distinguished name for the certificate
based on the host name, the system’s installation number, and your company name.
Note
If you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-
<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.
The distinguished name on SAP Web AS (1) then would be CN=mysapwebas.secure.mycompany.corp,
OU=I1234567890-SAP AG, OU=SAP Web AS, O=SAP Trust Community, C=DE.
The distinguished name on SAP Web Dispatcher (3) then would be CN= webapi.mycompany.com,
OU=I0123456789-SAP AG, OU=SAP Web AS, O=SAP Trust Community, C=DE.
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
24 © 2012 SAP AG. All rights reserved. Procedure Model
Note
You need a CA-signed SSL Server Certificate if you terminate SSL on SAP Web AS, described as option 5
in section SAP Web Dispatcher and SSL in the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.ht
m.
In this case, you must create an SSL Server Certificate for the external host name webapi.mycompany.com on
SAP Web AS (1). The host name must correspond to the host name used in the URL in the SAP Cloud Solution.
To verify the certificate, proceed as follows:
1. Open the newly created PSE for SSL Server Standard.
2. Verify that its name is displayed in the detail section’s group title SSL server Standard.
3. Double click the output field next to label Owner.
4. The SSL Server Certificate details will be shown in the Certificate section.
5. In the Certificate section with the opened SSL Server Certificate, choose an export certificate and save the
certificate to file using Base64 encoding as file “MyWebAsSSLServer.cer” or similar. Use file extension .cer
and base64 encoding.
Technical Connectivity Guide Error! Reference source not found. 25
Procedure Model © 2012 SAP AG. All rights reserved.
Note
On Windows, you can display the certificate details by double clicking the *.cer file in the Explorer. You
can use this to verify certificate details, like the host name, and that the certificate has been signed by a
supported Root CA like SAPNetCA.
Screenshots: SSL Server Certificate signed by SAPNetCA.
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
26 © 2012 SAP AG. All rights reserved. Procedure Model
5.3.3 Create CA-Signed SSL Server Certificate on SAP Web
Dispatcher
Note
For this task and the subsequent ones, follow procedure 5.3.2 for using the Trust Manager, or refer to
Trust Manager and SAP Web Dispatcher online documentation for details.
Configure SAP Web Dispatcher (3) to Support SSL as described in section Configuring the SAP Web AS
for Supporting SSL in the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.h
tm
Configure SAP Web AS (1) to Support SSL as described in section Configuring the SAP Web AS for
Supporting SSL in the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.h
tm
Perform the following steps:
1. On SAP Web Dispatcher, create a PSE for SSL Server (Standard) – resulting in a self-signed SSL Server
Certificate.
2. For the self-signed server certificate on SAP Web Dispatcher, create a certificate request.
3. To sign the certificate request and obtain the certificate response in PCKS#7 Certificate Chain format in base
64 encoding, use one of the supported Certification Authorities.
Note
For an example of how you can sign SSL Server Certificates using SAP Trust Center, see section 5.7.5
Signing Certificate Requests using SAP Trust Service.
4. Import the certificate response into SAP Web Dispatcher (3)’s SSL Server (Standard) PSE.
5.3.4 Import SAP Web AS Server Certificate into SAP Web
Dispatcher’s Trust Manager
Note
For online documentation, refer to the sources mentioned in section 5.3.3 Import SAP Web AS Server
Certificate into SAP Web Dispatcher’s Trust Manager.
Perform the following steps:
1. On SAP Web Dispatcher, create a PSE for SSL Client (Standard).
2. The result is a self-signed PSE.
3. Export this certificate to file in base 64 format.
4. Import the SSL Server Certificate from Web AS ABAP (1) into this PSE.
Technical Connectivity Guide Error! Reference source not found. 27
Procedure Model © 2012 SAP AG. All rights reserved.
5.3.5 Import SAP Web Dispatcher’s Client Certificate into SAP
Web AS ABAP Trust Manager
Note
For online documentation, refer to sources mentioned in section 5.3.3 Import SAP Web AS Server
Certificate into SAP Web Dispatcher’s Trust Manager.
On SAP Web AS ABAP, open the PSE for SSL Server (Standard) and import the client certificate from SAP Web
Dispatcher (created in the previous step).
5.4 Configure Network Components
5.4.1 Configure Firewall Settings
For SSL-based communication between SAP Web AS (1) and SAP OnDemand (8), you have to configure how SSL
will pass through specific ports and source / destination hosts.
Sample resource addresses:
(1) https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311
mysapwebas.secure.mycompany.corp:44300
(3) inbound: https://webapi.mycompany.com:443/sapcloudapi/idoc.
(3) internal hostname webdispatcher.dmz.mycompany.corp
(3’) proxy.mycompany.corp:8080
(8) https://my12345.solution.ondemand.com/api/mywebservice
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
28 © 2012 SAP AG. All rights reserved. Procedure Model
Required Configuration
Configure firewall (2) to pass through HTTPS from the host (1) to the transparent HTTP(S) proxy (3’), that is,
from the High Security Area, particularly host mysapwebas.secure.mycompany.corp to
proxy.mycompany.corp:8080.
Configure firewall (4) to pass calls from transparent proxy (3’) proxy.mycompany.corp to
my12345.solution.ondemand.com:443.
Configure proxy (4) to pass traffic from application delivery controller (6) (acting as proxy for (8)) to SAP
Web Dispatcher (3).
Provide a public DNS entry and IP address, in the example webapi.mycompany.com, for SAP Web
Dispatcher (3).
If desired, configure source IP filtering in firewall (4) using the IP addresses of SAP Cloud Proxy Servers /
Application Delivery Controllers (6).
Note
If you want to configure source IP filtering, request the IP addresses of ADC (6) from SAP Managed
Services.
Configure firewall (2) to pass traffic from SAP Web Dispatcher (3) webdispatcher.dmz.mycompany.corp
to SAP Web AS (1) on port 44300.
5.4.2 Configure URL Filter and Rewrite Rules on SAP Web
Dispatcher
There are several motivating factors in using the filtering and rewrite capabilities of SAP Web Dispatcher:
Increase security by restricting access from the public Internet to your ERP system.
Hide implementation details from external access: here, topology of the ERP landscape.
Keep external URLs stable even during landscape changes.
Note
In our reference landscape, we use one Web Dispatcher as reverse proxy for a single SAP ABAP System.
Different topologies require adaptation in the configuration.
According to the reference scenario above, we want to configure rewrite of external URL
https://webapi.mycompany.com:443/sapcloudapi/idoc
to the internal URL
https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.
on SAP Web Dispatcher (3).
To leverage filtering and URL rewrite capabilities, as of release 7.10, the SAP Web Dispatcher includes a
modification handler that you can configure for rewriting URLs.
With the parameter icm/HTTP/mod_<xx> you can configure modifications of HTTP Requests and define rules by
which the SAP Web Dispatcher changes the HTTP request before it forwards it. This includes header field
manipulation, URL rewrite, and other functions.
You can find a complete set of possible configurations, as well as a detailed description of how to configure
rewriting URLs, in the SAP NetWeaver Library (for SAP NetWeaver Process Integration 7.1) at:
Technical Connectivity Guide Error! Reference source not found. 29
Procedure Model © 2012 SAP AG. All rights reserved.
http://help.sap.com/saphelp_nwpi711/helpdata/en/4d/684daeecd446e7b5e9999496166e3f/frameset.htm
We define a web dispatcher profile based on the example of the SAP Web Dispatcher documentation in the SAPs
NetWeaver Library (for SAP NetWeaver Process Integration 7.1):
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/957caf94cc73eae10000000a42189b/frameset.htm
We assume that the SAP system’s message server resides on the same host as SAP Web AS (1), that is
mysapwebas.secure.mycompany.corp, and that the message server port is 8081. Verify your configuration.
By default, we enable SSL client certificates. Comment out the respective row to enforce client certificates.
#icm/HTTPS/verify_client = 2
Activate SSL on port 443 and terminate SSL on SAP Web Dispatcher.
icm/server_port_0 = PROT=HTTPS,PORT=443
If you want to use end-to-end SSL, comment the previous row and remove the comment from the following row:
#icm/server_port_0 = PROT=ROUTER,PORT=443
Also consider the sizing and performance impact of the alternatives. For more information, see section 5.7.2 Web
Dispatcher Performance Tuning.
Activate a modification handler for request filtering and URL rewriting for URLs with path prefix /sapcloudapi:
icm/HTTP/mod_0 =PREFIX=/sapcloudapi, FILE=sapcloud.action
For more information, see section icm/HTTP/mod_<xx> in the SAP NetWeaver Process Integration 7.1 Library at:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/49c7403a79350ce10000000a42189d/frameset.htm
The adapted SAP Web Dispatcher profile file (for example, sapwebdisp.pfl)
# SAPSYSTEM must be set so that the shared memory areas
# can be created.
# The number must be different from the other SAP instances
# on the host.
SAPSYSTEM = 66
# Directory variables
DIR_EXECUTABLE = .
DIR_INSTANCE = .
# Message Server Description
rdisp/mshost = mysapwebas.secure.mycompany.corp
ms/http_port = 8081
# SAP Web Dispatcher Parameters
wdisp/auto_refresh = 120
wdisp/max_servers = 100
# enable client certificates
# default value is 1: enable client certificates
# to enforce use of client certificates set to 2
#icm/HTTPS/verify_client = 2
# Parameters for the HTTPS Routing
wdisp/HTTPS/dest_logon_group = HTTPS
wdisp/HTTPS/max_client_ip_entries = 100000
wdisp/HTTPS/sticky_mask = 255.255.255.0
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
30 © 2012 SAP AG. All rights reserved. Procedure Model
# Description of the Access Points
# SSL Terminated on SAP Web AS ABAP:
icm/server_port_0 = PROT=HTTPS,PORT=443
# SSL Terminated on SAP Web Dispatcher (next two rows)
#icm/server_port_0 = PROT=ROUTER,PORT=443
#wdisp/ssl_encrypt_1
# Description of the Resources
iicm/min_threads = 20
icm/max_threads = 40
icm/max_conn = 500
# Communication Buffer
mpi/total_size_MB = 100
mpi/buffer_size = 65536
icm/HTTP/mod_0 =PREFIX=/sapcloudapi, FILE=sapcloud.action
We create an action file sapcloud.action comprising filter and rewrite rules based on the example in the SAP
NetWeaver 7.3 Library on Defining Modification Actions:
http://help.sap.com/saphelp_nw73/helpdata/en/48/9266ffaa6b17cee10000000a421937/frameset.htm
For more information about the naming example and considerations about where to store the action file in case
you want to apply the same set of rules on several hosts , see also section icm/HTTP/mod_<xx> in the SAP
NetWeaver 7.3 Library at.
http://help.sap.com/saphelp_nw73/helpdata/en/48/49c7403a79350ce10000000a42189d/frameset.htm
We set a request filter: We forbid any requests not addressed to host name webapi.mycompany.com by
if %{HTTP_HOST} regimatch !webapi.mycompany.com
RegForbiddenUrl ^/(.*) –
We filter all requests that are neither GET nor POST
if %{REQUEST_METHOD} !stricmp "GET" [AND]
if %{REQUEST_METHOD} !stricmp "POST"
RegForbiddenUrl ^/(.*) -
We perform URL rewriting so that the external path name is mapped to the one configured in SAP Web AS (1) in
ICF Configuration (SFICF). For the above host name webapi.mycompany.com, we want to pass the requests to
client 311 of our SAP system. The external path /sapcloudapi/idoc shall be mapped to the path defined in ICF
configuration (via transaction SFICF), here for the IDOC SOAP port /sap/bc/srt/IDoc?sap-client=311.
if %{HTTP_HOST} regimatch webapi.mycompany.com
# Map external URL for IDOC SOAP end point to internal URL
# default IDOC SOAP inbound: /sap/bc/srt/IDoc – verify in tx SICF / SRTIDOC
# Client with parameter ?sap-client=311
RegIRewriteUrl ^/sapcloudapi/idoc /sap/bc/srt/IDoc?sap-client=311$1
The complete action file sapcloud.action:
# Modification rules for WebDisp
# set WebDisp header
SetHeader clientProtocol %{SERVER_PROTOCOL}
SetHeader X-SAP-WEBDISP-AP %{SERVER_ACCESS_POINTS}
Technical Connectivity Guide Error! Reference source not found. 31
Procedure Model © 2012 SAP AG. All rights reserved.
# check for forbidden host names
# in this example action file only webapi.mycompany.com is allowed!
if %{HTTP_HOST} regimatch !webapi.mycompany.com
RegForbiddenUrl ^/(.*) –
# check for forbidden method
if %{REQUEST_METHOD} !stricmp "GET" [AND]
if %{REQUEST_METHOD} !stricmp "POST"
RegForbiddenUrl ^/(.*) -
# URL rewriting
if %{HTTP_HOST} regimatch webapi.mycompany.com
# Map external URL for IDOC SOAP end point to internal URL
# default IDOC SOAP inbound: /sap/bc/srt/IDoc – verify in tx SICF / SRTIDOC
# Client with parameter ?sap-client=311
RegIRewriteUrl ^/sapcloudapi/idoc /sap/bc/srt/IDoc?sap-client=311$1
See also SAP Web Dispatcher Help:
SAP Web Dispatcher:
http://help.sap.com/saphelp_nw73/helpdata/en/48/8fe37933114e6fe10000000a421937/frameset.htm
Modifications of HTTP Requests:
http://help.sap.com/saphelp_nw73/helpdata/en/48/9266acaa6b17cee10000000a421937/frameset.htm
Defining Modification Actions:
http://help.sap.com/saphelp_nw73/helpdata/en/48/9266ffaa6b17cee10000000a421937/frameset.htm
5.4.3 Client Certificate Handling with SAP Web Dispatcher
SAP Web Dispatcher supports mapping of the client certificate / X.509 identification to HTTP header fields.
While SAP Web Dispatcher (3) terminates SSL in the reference landscape, the client certificate can still be used
for user mapping in SAP Web AS (1).
For more information, see section X.509-Based Logon to NW AS from SAP Web Dispatcher in the SAP NetWeaver
7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/76/6d4fa247d0d647b5bd40745400d873/frameset.htm
5.4.4 Example SAP Web Dispatcher Configurations
For configuration examples, see section of Parameterization of the SAP Web Dispatcher in the SAP NetWeaver 7.3
Library at:
http://help.sap.com/saphelp_nw73/helpdata/en/de/89023c59698908e10000000a11402f/frameset.htm
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
32 © 2012 SAP AG. All rights reserved. Procedure Model
You need to incorporate the above configurations for SSL termination, request filtering, and URL rewriting to
adapt the examples to your company-specific settings.
5.4.5 Configure Settings on Additional Connectivity Components
For supported application gateway configurations, see SAP Note 833960.
5.5 Define Certificate to User Mapping in SAP Web AS
5.5.1 Preparation
In SAP Cloud (8), you have configured a communication arrangement with authentication based on client
certificates. Maintain the respective communication arrangement and verify that certificate- based authentication
is used. Then download the certificate and save it to a file, for example under the name SAP Cloud Client
Certificate.cer.
Example of a Client Certificate exported from SAP Travel OnDemand from an Outbound Communication
Arrangement using Certificate Based Authentication and selection of the certificate for the “system key”.
5.5.2 Define Mapping
Perform the following steps:
1. On SAP Web AS ABAP (1), use transaction SM30 to maintain view VUSREXTID.
2. Add a new entry for external ID type “DN” (distinguished name) representing user identification by X.509
client certificate.
Technical Connectivity Guide Error! Reference source not found. 33
Procedure Model © 2012 SAP AG. All rights reserved.
3. Import the external ID from the certificate file (in the above example: SAP Cloud Client Certificate.cer) to set
external ID with values from the certificate.
4. Maintain a minimum date (such as the current date) and maintain the user ID for the specified
communication user.
Sequence number is typically 001 unless you have several entries for the same external ID.
The following screenshot shows the result of a newly created entry in the user mapping view VUSREXTID:
5.6 Perform Connectivity Tests
You can find information about how to perform connectivity tests in the SAP NetWeaver Library at:
Section Where to Find
Testing the SSL http://help.sap.com/saphelp_nw73/helpdata/en/49/3d938a501a2009
Configuration e10000000a42189c/frameset.htm
Testing the SSL http://help.sap.com/saphelp_nw73/helpdata/en/49/4594d63a293b5b
Connection to the AS e10000000a42189b/frameset.htm
ABAP over the SAP Web
Dispatcher
Refer also to your solutions integration guide about how to perform specific connectivity and integration tests.
You can also verify that the external URL works. You will need logon information to verify the IDOC / SOAP port.
You can enter the external and internal URLs in the browser. In our reference scenarios, they are:
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
34 © 2012 SAP AG. All rights reserved. Procedure Model
https://webapi.mycompany.com:443/sapcloudapi/idoc
https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.
You can verify the SSL Server Certificates in Internet Explorer by clicking the lock symbol next to the address field.
Display certificate details and the certificate path.
For more information, see section 5.3.2. Create Self-Signed SSL Server Certificate on SAP Web AS.
5.7 Selected Application Integration Topics
5.7.1 Verify SSL Support on SAP Web AS and SAP Web
Dispatcher
For information about the configuration of the SAP Web AS for supporting SSL, see the SAP NetWeaver 7.0
Library at:
http://help.sap.com/saphelp_nw70/helpdata/EN/65/6a563cef658a06e10000000a11405a/frameset.htm
For information about the configuration of the SAP Web Dispatcher to support SSL, see the SAP NetWeaver 7.0
Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm
5.7.2 SAP Web Dispatcher Performance Tuning
You find information on configuration options relevant for SAP Web Dispatcher Performance Tuning in the
following help.sap.com resources:
Server Selection and Load Balancing Using the SAP Web Dispatcher
http://help.sap.com/saphelp_nw70/helpdata/en/5f/7a343cd46acc68e10000000a114084/content.htm
Timeout Options for ICM and Web Dispatcher
http://help.sap.com/saphelp_nwpi71/helpdata/en/48/88b52977323cb8e10000000a42189d/content.htm
SAP Web Dispatch 7.1 Sizing Guide
https://service.sap.com/~sapdownload/011000358700001869252005E/SAPWebDispatcher.pdf
You find general performance optimization information in SAP Press Book: SAP Performance Optimization. See
section 7, SAP Press Books, for full reference.
5.7.3 Configure SSL on HTTP Destinations Using SM59
For information about how to specify that a connection should use SSL, see the SAP NetWeaver 7.0 library at:
http://help.sap.com/saphelp_nw70/helpdata/EN/5b/2e423c0bcc4a7ee10000000a114084/frameset.htm
Technical Connectivity Guide Error! Reference source not found. 35
Procedure Model © 2012 SAP AG. All rights reserved.
In particular, you must make sure that:
You check SSL protocol support
You choose the right PSE
o If you use base authentication (username and password), use SSL Client Anonymous – and verify in trust
manager STRUST that you have imported the root certificates of the Certification Authority that has
signed the SSL Server Certificate of SAP Cloud (8). See also section 6.1.
o If you use X.509 client certificate authentication on SAP Cloud, select the PSE that you have defined as
described in second option in section 5.3.1.
5.7.4 Configure SSL for IDOC over SOAP
For IDOC based communication between SAP Business Suite and SAP Business ByDesign and SAP Business
ByDesign based solutions, some communication is based on IDOC over SOAP. For this communication, an IDOC
message is XML encoded, and then transferred between SAP Web AS ABAP and SAP Cloud using SOAP protocol.
The ALE configuration in SAP Web AS uses the same tools as IDOC communication using RFC protocol,
specifically:
ALE Distribution Model (Transaction BD64)
Partner Profile (Transaction WE20)
Destinations (Transaction SM59)
Procedure Model
1. Set up SSL support (particularly PSEs) as described in the previous sections.
2. Configure ALE Distribution Model according to the Master Guide or Integration Guide of the respective
solution.
3. When maintaining Maintain Partner Profiles for IDOC types, choose an HTTP destination with the desired PSE
with basic or client certificate based authentication.
4. Select Content type Application/x-sap.idoc. The option Application/x-sap.idoc is only available if you have
implemented SAP Note 1510812. Read this SAP Note for further information. (information valid at time of
writing).
Note
IDOC over SOAP has further implications with respect to package size and batch / immediate processing.
For more information, see SAP Note 1510812.
5.7.5 Signing Certificate Requests using SAP Trust Service
You can have SSL Server Certificates signed by SAP Trust Service for a service fee.
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
36 © 2012 SAP AG. All rights reserved. Procedure Model
For more information, see the SAP Trust Center Services in SAP Service Marketplace at:
https://service.sap.com/tcs
For test purposes, you can have SSL Server Certificates signed for a validity period of 8 weeks.
1. Create a self-signed SSL Server Certificate in the Trust Manager or SAP Web Dispatcher. (Note: In the
reference landscape, you only need a CA-signed SSL server certificate on SAP Web Dispatcher. You can also
apply the same method for signing SSL Server Certificates on SAP Web AS if you do not want to use self-
signed server certificates on SAP Web AS.
2. Create and export a certificate request from the trust manager.
3. Copy the certificate request including the ----BEGIN CERTIFICATE REQUEST ---- and ---- END CERTIFICATE
REQUEST --- in the entry field “Enter data for public key” field shown below.
4. Choose PKCS#7 certificate chain.
5. Choose Continue.
6. Copy the certificate response and import the certificate response into the trust manager.
7. Save the PSE in the trust manager.
8. Perform a New Start or “Soft Reset” of the ICM. To reduce the impact on existing sessions, you should do this
locally on the instance(s) used for communicating from SAP Cloud to SAP Web AS (1).
For more information on ICM administration, see the SAP NetWeaver 7.0 Library at:
http://help.sap.com/saphelp_nw70/helpdata/en/86/ba813a19a2416de10000000a114084/frameset.htm
Note
As server and client certificates have a defined validity period, you need to plan renewal of the certificates
in time. Invalid certificates cause failure of communication.
Technical Connectivity Guide Error! Reference source not found. 37
Procedure Model © 2012 SAP AG. All rights reserved.
5.7.6 Configure SSL using SOA Manager
The system consuming or providing web services configured using SOA Manager must have SSL enabled as
described in previous sections.
Note
Refer to the integration guide of your solution to find details on the “consumed web services” and
“provided web services”. This section focuses on the technical connectivity aspects of this configuration
and not on the integration scenario itself.
When SAP Web AS (1) consumes a web service, you need to configure a so called consumer proxy on SAP Web
AS. This scenario is described on help.sap.com under “Configuring a Consumer Proxy” at:
http://help.sap.com/saphelp_nw73/helpdata/en/9e/c7a3591dc74a679bbc9716354e42af/frameset.htm
You will maintain a logical port. As of our reference landscape, you need to maintain the HTTP(S) proxy setting of
the logical port to proxy.mycompany.corp:8080.
When SAP Web AS (1) exposes a web service that shall be consumed by SAP Cloud (8), you need to maintain a
web service End Point using SOA Manager. This scenario is described on help.sap.com in section “Configuring a
Service Provider” at
http://help.sap.com/saphelp_nw73/helpdata/en/33/06820d9d174c2884576bd78ac5629d/frameset.htm
In our reference scenario, we use an internal URL:
https://mysapwebas.secure.mycompany.corp:44300/sap/bc/srt/IDoc?sap-client=311.
In the case of web services maintained using SOA Manager, the end point URL looks different and we expose a
separate, external URL:
https://webapi.mycompany.com:443/sapcloudapi/idoc
Create an end point and specify SSL binding and authentication method, for example, X.509 certificate -based
authentication.
To enable the desired external URL, maintain the transport settings as follows:
1. Define an alternative URL for messages.
The path that you set here overrides the path defined in the URL.
2. You need to specify an alternative path, for example, if the service is not local or if it is behind a firewall. Use
the path of the external URL: /sapcloudapi/idoc
3. If the target web service can only be accessed through a proxy server, you can also specify some proxy
information here. Use the external host name of SAP Web Dispatcher: webapi.mycompany.com
4. As a result, we have configured an end point with an external URL using SOA manager:
https://webapi.mycompany.com:443/sapcloudapi/idoc.
Note
You may want to create an “internal end point” for verifying the method and for testing the service using a
web service test tool, then remove the test end point and add a new one with the target configuration.
For more information, see the following sections about SOA Manager in the SAP NetWeaver 7.3 Library:
Section URL
Runtime Configuration with http://help.sap.com/saphelp_nw73/helpdata/en/46/a4863ea82152b8e10000000
the SOA Manager a155369/frameset.htm
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
38 © 2012 SAP AG. All rights reserved. Procedure Model
Section URL
http://help.sap.com/saphelp_nw73/helpdata/en/49/9bf6c9e05a526be10000000
Configuring HTTPS at a42189c/frameset.htm
Transport Level with X.509
Certificate Authentication http://help.sap.com/saphelp_nw73/helpdata/en/cf/9fb513ced74bbf82cac2231a3
58086/frameset.htm
Configuring Service
Providers and Consumers
Note
Remember to define URL rewrite rules on SAP Web Dispatcher to enable mapping of external URL to
internal URL. See also the example in reference scenario section 4.1.
Technical Connectivity Guide Error! Reference source not found. 39
Procedure Model © 2012 SAP AG. All rights reserved.
6 SAP Supported Certification Authorities
6.1 Valid Trusted CAs
For communicating from SAP Web AS (1) to SAP Cloud (8) you must maintain trust relationships to the following
CAs by importing the CA’s root certificate into the SAP Web AS trust manager:
Cybertrust Sure Server Standard Validation CA
GTE Cyber Trust Global Root
You must import the certificates of the above-mentioned CAs into the SAP ERP system in transaction STRUST.
Depending on the authentication method, you must import these certificates into one of the following folders:
SSL Client (Anonymous) for authentication with username/password
SSL Client (Standard) for authentication with client certificate
You can get these certificates from Verizon certificate services at:
https://secure.omniroot.com/support/sureserver/rootcert.cfm
6.2 Valid CAs for Signing Server Certificates
List of supported certification authorities for the SAP Business ByDesign tenant (ByDesign is SSL Client, SAP Web
Dispatcher is SSL Server)
EntrustPersonalServerCA.cer
EntrustServerCA.cer
EquifaxIntermediate.cer
EquifaxSecureCA.cer
Go_Daddy_Class2.cer
Go_Daddy_Secure_Certification_Authority.cer
SAPNetCA.cer
SAPPassportCA.cer
TC_Trustcenter_Class1_L1_CA.cer
TC_TrustCenter_Class_1_CA.cer
TC_TrustCenter_Class_1_L1_CA_VII.cer
TC_TrustCenter_Class_2_CA_II.cer
TC_TrustCenter_Class_2_L1_CA_XI.cer
TCTrustcenterClass2.cer
TelekomOnlinePass.cer
Thawte_ServerBasic.cer
Thawte Premium Server CA Root
Thawte Primary Intermediate CA
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
40 © 2012 SAP AG. All rights reserved.
SAP Supported Certification Authorities
Thawte Secondary Intermediate CA
Verisign_Class3_Intermediate.cer
VeriSignClass3_Secure_server.cer
VeriSignClass1_G1.cer
VeriSignClass1_G2.cer
VeriSignClass1_G3_b64.cer
VeriSignClass2_G1.cer
VeriSignClass2_G2.cer
VeriSignClass2_G3_b64.cer
VeriSignClass3_G1.cer
VeriSignClass3_G2.cer
VeriSignClass3_G3_b64.cer
VeriSignClass4_G2.cer
VeriSignClass4_G3_b64.cer
VeriSignClass3_SecureServer_CA_G2.cer
6.3 Valid CAs for Signing Client Certificates
List of supported certification authorities for the reverse proxy in the on-demand network (only relevant for client
certificates)
Entrust.net Client Certification Authority
Entrust.net Secure Server Certification Authority
SAP Passport CA
Server CA
Deutsche Telekom Root CA 1
Thawte Server
VeriSign Class 1 Public Primary Certification Authority - G3
VeriSign Class 2 Public Primary Certification Authority - G3
VeriSign Class 3 Public Primary Certification Authority - G3
VeriSign Class 4 Public Primary Certification Authority - G3
Go Daddy Secure Certification Authority
TC TrustCenter SSL CA I
CompuTop GmbH
Entrust.net Certification Authority (2048)
Entrust Certification Authority - L1B
TC TrustCenter Class 1 L1 CA VI
VeriSign Class 3 Secure Server CA
TC TrustCenter Class 1 L1 CA VII
Thawte Premium Server
Technical Connectivity Guide Error! Reference source not found. 41
SAP Supported Certification Authorities © 2012 SAP AG. All rights reserved.
TC TrustCenter Class 2 L1 CA XI
TC TrustCenter Class 2 CA II
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
42 © 2012 SAP AG. All rights reserved.
SAP Supported Certification Authorities
7 Further Reading
7.1 Guidelines
Documentation Where to Find?
SAP Security Guides
http://service.sap.com/~form/sapnet?_SHORTKEY=0110003587000040118
0&
See SAP NetWeaver Security http://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000
Guides (Complete) or SAP 000a42189c/frameset.htm
NetWeaver 7.3 Security Guide on
the Help Portal: http://help.sap.com/saphelp_nw73/helpdata/en/fe/a7b5386f64b555e10000
009b38f8cf/frameset.htm
SAP NetWeaver 7.3: Network and
Communication Security:
SAP Web Dispatch 7.1 Sizing https://service.sap.com/~sapdownload/011000358700001869252005E/SA
Guide PWebDispatcher.pdf
SAP Security Guideline Overview: http://bestbuiltapps.sap.com
Best-Built Applications, chapter 9
“Security”: or
http://wiki.sdn.sap.com/wiki/display/BBA/Chapter+9.+Security+Guidelines+
for+Best-Built+Applications
7.2 Product Documentation
Documentation Where to Find?
X.509-Based Logon to NW AS http://help.sap.com/saphelp_nw70/helpdata/en/76/6d4fa247d0d647b5bd4
from SAP Web Dispatcher 0745400d873/frameset.htm
SAP Web Dispatcher and SSL http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00
508b5d5211/frameset.htm
Configuring the SAP Web http://help.sap.com/saphelp_nw70/helpdata/en/39/09a63d7af20450e1000
Dispatcher to Support SSL 0000a114084/frameset.htm
Technical Connectivity Guide Error! Reference source not found. 43
Further Reading © 2012 SAP AG. All rights reserved.
Documentation Where to Find?
Using the Secure Sockets Layer http://help.sap.com/saphelp_nw70/helpdata/en/3a/7cddde33ff05cae10000
Protocol with the AS ABAP 000a128c20/frameset.htm
You find an overview on how to enable SAP Web AS (1) for SSL support.
Enable / enforce SSL with client http://help.sap.com/saphelp_nw70/helpdata/en/0d/88153a1a5b4c2de1000
certifications on SAP Web AS / 0000a114084/content.htm
SAP Web Dispatcher:
icm/HTTPS/verify_client
7.3 SAP Developer Network
SAP Developer Network (SDN) Home: http://www.sdn.sap.com/
SAP Developer Network Forum on Service-Oriented Architecture:
http://forums.sdn.sap.com/forum.jspa?forumID=101
7.4 SAP Press Books
Thomas Schneider: SAP Performance Optimization Guide, SAP Press, Bonn / Boston, 2011, ISBN 978-1-59229-
368-1
7.5 SAP Notes Short Text
Supported Application Gateway Configurations
SAP Note Number
833960
Error! Reference source not found. Technical Connectivity Guide for SAP Cloud Applications
44 © 2012 SAP AG. All rights reserved. Further Reading
www.sap.com/contactsap
Material Number
© 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System ads, System i5, System
p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise
Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2
Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks
of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc.,
used under license for technology invented and implemented by
Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These
materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the
express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting
an additional warranty.
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
C4C Technical Connectivity guide
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
C4C Technical Connectivity guide
- 1 - 46
Pages: