Thursday, June 12, 2008

Fully Qualified Domain Names (FQDN)

In Web Dynpro ABAP it is imperative that a client browser with a fully qualified domain name (FQDN) has access to the AS-ABAP. For this reason the full URL must be assigned to a Web Dynpro ABAP application when it is called. The URL must not be shortened (for instance, no domain specification).

The domain used must also satisfy the requirements of the cookie specification (see http://wp.netscape.com/newsref/std/cookie_spec.html).

To check the FQDN, in the Web Dynpro explorer in the ABAP development environment (SE80), choose the relevant Web Dynpro application from the navigation tree for your Web Dynpro component/interface, and check the URL in the administration data. Check whether the path details in field URL also contain the full domain and host name.

Note

Note that neither IP addresses nor underscore characters are allowed in host names (see below).

More information: SAP Note 654982.

Purpose

FQDNs are necessary for the following reasons:

One domain is required with which cookies can be set domain-wide, for instance, SSO2 cookies.

Domain relaxation code is required for cross-frame JavaScript.
This is particularly important for Structure linkPortal Integration (see below).

In an HTTPS environment, client and server names must correspond to each other for certificates and for the SSL protocol.

Note that the domain in which the AS ABAP is run is not necessarily the FQDN used to access the AS ABAP from the browser. A typical example is an AS ABAP that runs both in the Intranet and in the Internet. In a case like thi,s the FQDN is determined by the position of the browser relative to the AS ABAP and not by the AS ABAP itself.

Configuration of Fully Qualified Domain Names

If the host name simply specifies the host and port but not the domain (including the extension), the shortened URL of a Web application looks like:

This graphic is explained in the accompanying text

://:/sap/...

Example:

http://pwdf0487:1080/sap/bc/webdynpro/sap/wdr_test_events

Whereas the full URL should look like:

This graphic is explained in the accompanying text

://. :/sap/...

Example:

http://pwdf0487.wdf.sap-ag.de:1080/sap/bc/webdynpro/sap/wdr_test_events

IP Addresses Not Supported

URLs that contain IP addresses are not supported.

This graphic is explained in the accompanying text

://:/sap/...

Example:

http://10.21.81.0:1080/sap/bc/webdynpro/sap/xyz

The following notation is required:

This graphic is explained in the accompanying text

://. :/sap/...

Example:

http://hs0059i.wdf.sap.corp:1080/sap/bc/webdynpro/sap/xyz

To map IP addresses correctly, the following is required:

A minimal form of DNS at the customer location with the name of the AS-ABAP and a mapping to an IP address.

Alternatively, a pseudo AS-ABAP name can be used, and the HTTP proxy configured at the firewall in such a way that this URL is sent to the correct IP address.

For smaller installations you can use the following quick solution:

Update the hosts file on each workstation. Insert the line 10.17.73.210 hostname.domain.ext into file \WINNT\system32\drivers\etc\hosts.

No Support for '_' in Host Names

The browser does not accept cookies if a host name contains the underscore character '_'.

Since Microsoft Internet Explorer 6.0 and MS Internet Explorer 5.5 including security patch MS01-055 cannot accept any domain names with underscore characters, session cookies cannot be saved. This will result in terminations when navigating within a Web application.

Example

Example:

The development system is called dev_sys, and the quality security system, qsys. This means the fully qualified domain name is:

qsys.company.co.xx

The following notation is not accepted:
dev_sys.company.co.xx
qsys.my_company.co.xx

For this reason, host and domain names must never contain the underscore character, '_'.

Domain Restrictions in Accordance with the Cookie Specification

The portal must be started with a domain that complies with the domain specification of the Internet standard cookie specification. Otherwise the portal cannot create the MYSAPSSO2 cookie.

So that the browser can decide which servers a cookie can be sent to, the URL must contain the domain specification, since the decision is based on this information. In accordance with the Netscape cookie specification (available under http://wp.netscape.com/newsref/std/cookie_spec.html), cookies can be set for one domain only, and a domain must contain two or three dots (.) due to security restrictions. Each of the seven top level domains (.COM,.EDU,.NET,.ORG,.GOV,.MIL,.INT) must contain at least one further domain component (usually the name of the company or organization), amounting to two dots. Each domain with a different ending (this includes the top level domains for countries, such as UK, DE, FR, and so on) must consist of two further domain components, that is, these domains must contain at least three dots. For more information see the cookie specification.

Example

Examples of valid domains:

.sap.com
Top level domain -> two domain components

.portal.sap.de
No top level domain -> three domain components

Some browsers (for instance, Microsoft Internet Explorer) are less strict and permit domains that violate the cookie specification rules listed above.

The Internet Explorer would allow the following domain:

This graphic is explained in the accompanying text

.sap.de

This is not a top level domain, yet it only has two domain components.

Domains appear to be accepted whose penultimate component consists of at least three characters, because otherwise there would be problems, for instance with all British domains, due to there being insufficient restrictions on how cookies are sent.

Examples

URL

Description

http://www.xy.com

Compliant with specification

http://www.xy.co.uk

Compliant with specification


http://.epd.de

For MS IE ok

http://www.sap.de

For MS IE ok


http://.ep.de

For MS IE not ok

http://www.co.uk

Not ok (compliant with specification)

This graphic is explained in the accompanying text

SAP generally recommends that you always comply with the definitions of the cookie specifications.

HTTPS

The use of SSL (with HTTPS), as well as ensuring encrypted data transfer, should also ensure that the server being contacted (for example, a company or organization) is authentic. This is done using SSL server certificates. For each HTTPS URL the browser checks whether the full host name contained in the URL corresponds to the relevant specification (such as common name, CN) in the checked SSL server certificate. If the browser ascertains a difference, it triggers an error warning.

Examples

The SSL server certificate was issued on "CN=tcs.mysap.com, OU=SAP Trust Community, O=SAP AG, L=Walldorf, C=DE". The following URLs are checked:

URL

Description/Behavior

http://tcs.mysap.com/...

No SSL/HTTPS

https://tcs.mysap.com/...

Compliant with specification

https://tcs01.mysap.com/...

Warning/error

With an SSL server certificate issued on "CN=mysap.com, ..." all the URLs listed above return an error.

With an SSL server certificate issued on "CN=*.mysap.com, ..." all the URLs listed above return an error. A certification authority (CA), however, usually establishes its own rules for components that it issues and for verified certificates. The use of wildcards (*) in the common name is generally not permitted.

Note

When you use SSL terminating reverse proxies (in front of the Web Server/AS-ABAP), make sure that the SSL server certificate of the reverse proxy corresponds to the host name of the reverse proxy that is visible for the browser.

For more information about security see Security in AS-ABAP.

Setting the FQDN

The following variables and parameters are used to set the host and domain names:

SAPLOCALHOST

SAPLOCALHOSTFULL

icm/host_name_full

The ICM sets the FQHN in accordance with the hierarchy below:

...

1. Parameter SAPLOCALHOSTFULL in the SAP profile (recommended for high availability configurations) has top priority. If it is set in the profile file, the ICM takes this as the FQHN value.

Note

Note that the system default value of SAPLOCALHOSTFULL contains the host name without the domain, which is why the ICM ignores the system default.

2. If the parameter is not set, the value in Structure linkicm/host_name_full is used.

Set the value iicm/host_name_full = $(SAPLOCALHOST).domain.ext.

This is particularly suitable for situations where multiple application servers are operating with one instance profile.

3. If this parameter is also not set, the ICM takes the FQHN of the operating system.

Parameter SAPLOCALHOST is not fully qualified and is not used by the ICM for services.

SAP recommend you set either SAPLOCALHOSTFULL (for high availability configurations), or icm/host_name_full.

No comments:

Archive