Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Web Dispatcher for Fiori explained. Why and how?

hannes_defloo
Advisor
Advisor
‎12-06-2016 1:23 PM

Update 15/04/2020: Also with an embedded deployment for S/4HANA, the SAP Web Dispatcher should still be considered in your landscape for :

    • Load balancing HTTP requests to multiple application servers

 

    • Additional security with WD in DMZ, also look into Network Edge authentication supported by the Web Dispatcher, see SAP Help documentation.

 

 



NOTE: most of the above, except the authentication between S/4HANA and SAP CoPilot in SCP which is SAP proprietary functionality, can also be done by another 3rd party reverse proxy in customer landscape.

IMPORTANT : Embedded SAP Fiori deployment is recommended since end of 2017, see this blog.  If you are still running a separate server have a look at the Transition from Standalone to Embedded Deployment in SAP S/4HANA document.  With embedded deployment you benefit a lower TCO (no additional server), and you can use SAP Fiori Rapid Content Activation.

Further information below is based on the hub deployment where additional routing was needed. This is out-of-date but kept as a reference.

--

Update 24/07/2017 : when using the web dispatcher configuration below, the applications are all behind the same origin.  The drawback of this is that the kernel of front- and backend server need to be the same version.  See  SAP Note 2477189 - SAP NetWeaver Gateway, ICM, Web Dispatcher, S/4HANA and Kernel compatibility info...

An updated webdispatcher configuration where multiple origins are used is described in the 1709 UI Technology guide and below.  With this configuration the kernel restriction is not needed anymore. See Note for more info,  you need to correctly configure RFC destinations _RFC and _HTTPS in the FES system.

Please use the configuration from the UI Technology guide below, this is further explained in chapter 3.7.2 for Hub Deployments instead of the configuration described in the blog below:

# multiple origins configuration - without kernel restrictions - See Note 2477189 

#HTTPS 

ssl/ssl_lib = <sapcrypto dll> 

ssl/server_pse = <pse> 

icm/HTTPS/verify_client = 0 

ssl/client_pse = <pse> 

wdisp/ssl_encrypt = 1 

wdisp/ssl_auth = 2 

wdisp/ssl_cred = <pse> 

icm/HTTPS/forward_ccert_as_header = true 



#Additional parameters needed by SAP Fiori for correct request routing 

wdisp/system_conflict_resolution = FIRST_MATCH 

wdisp/handle_webdisp_ap_header = SET 

wdisp/add_xforwardedfor_header = true



#

icm/server_port_0 = PROT=HTTPS,PORT=44391,TIMEOUT=120

icm/server_port_1 = PROT=HTTPS,PORT=44392,TIMEOUT=120



#Frontend Server

wdisp/system_0 = SID=FES, MSHOST=<FES HOST>, MSPORT=<FES Port>,SRCSRV=*:44391, SRCURL=/sap/opu;/sap/bc;/sap/public, SSL_ENCRYPT=1

#Backend Server

wdisp/system_1 = SID=BES, MSHOST=<BES HOST>, MSPORT=<BES Port>,SRCSRV=*:44391, SRCURL=/sap/es/;/sap/bw/ina/;/sap/bw/Mime, SSL_ENCRYPT=1

#Backend Server for WebDynpro & Classic UI

wdisp/system_2 = SID=BES, MSHOST=<BES HOST>, MSPORT=<BES Port>,SRCSRV=*:44392, SRCURL=/sap, SSL_ENCRYPT=1


NOTE : For embedded deployment there is no entry for FES, and you can forward SRCURL=/sap to your S/4HANA server

The blog below is outdated but kept as a reference.

--

SAP Fiori applications are HTML5 applications based on the SAPUI5 java script library.  They are made of a combination of resources like java script, html, xml, css and image files.  At runtime they are downloaded first and after running locally in the client (end-users browser).

SAP Fiori applications retrieve or send updates to application data using OData calls provided by a SAP Gateway (aka frontend) server.  OData is an open standard based on existing standards like HTTP, REST, XML, JSON and more.  This frontend server provides data from SAP backends (this can be a S/4H, ERP, CRM or other system) via the OData format.  However some Fiori apps also need Analytic or Enterprise Search data provided directly by the backend.  Other apps launched from the Fiori Launchpad will need direct webdypro, web gui content be provided by the backend directly. See figure below:


A reverse proxy, like the SAP Web Dispatcher, needs to be placed in front of the front-end server and backend-server to route calls to the right server.  Such reverse proxy is needed because of its capabilities like URL redirection and rewriting and adding certificate authentication.  This reverse proxy can be hardware or a software application like the SAP Web Dispatcher.

If no reverse proxy some SAP Fiori apps like UI5 analytic apps will not work and no load balancing will be done in case multiple application servers are used.

In the next table a list of the routing mapping configuration needed in the reverse proxy for web traffic between a SAP Frontend and S/4H backend systems.


URL PathRoutingDescription
/sap/bc/ui5_ui5/FrontendSAPUI5 Application Handler
/sap/bc/ui2/FrontendUI Extension
/sap/bc/lrepFrontendLREP HTTP handler
/sap/opu/odataFrontendOData Standard Mode
/sap/bc/nwbc/FrontendNetWeaver Business Client
/sap/public/FrontendPUBLIC SERVICES
/sap/bc/bspFrontendBUSINESS SERVER PAGES (BSP) RUNTIME
/sap/saml2FrontendSAML
   
/sap/bc/webdynpro/BackendWeb Dynpro (WD) Runtime
/sap/es/BackendEnterprise Search
/sap/bc/gui/BackendITS-Based GUI Services
/sap/bc/apcBackendABAP Push Channel Framework
/sap/bw/inaBackendBW InA
/sap/bw/Mime/DS/ContentBackendMIME IN WEB REPORTING


 

The above routing mapping would translate to the following Web Dispatcher configuration file --

!!! 10/2017 : single origin configuration, deprecated, please use UI Technology guide configuration on top of the blog !! With this config you need same kernel versions FES and S/4HANA systems 

wdisp/system_0 = SID=XXX, MSHOST=FRONTEND-FQDN, MSPORT=XXXX, SSL_ENCRYPT=1, SRCSRV=*:44310, SRCURL=/sap/bc/ui5_ui5/;/sap/bc/ui2/;/sap/bc/lrep;/sap/opu/odata;/sap/bc/nwbc/;/sap/public/;/sap/bc/bsp;/sap/saml2



wdisp/system_1 = SID=XXX, MSHOST=S4HBACKEND-FQDN, MSPORT=XXXX, SSL_ENCRYPT=1, SRCSRV=*:44310, SRCURL=/sap/bc/webdynpro/;/sap/es/;/sap/bc/gui/;/sap/bc/apc;/sap/bw/ina;/sap/bw/Mime/DS/Content


This configuration is based on the Web Dispatcher configuration mentioned here, with some changes.  https://blogs.sap.com/2016/10/12/sap-fiori-s4hana-10-lessons-learned-s4hana-1511-projects/

This configuration should be complete for most customers but there might still be specific cases not covered.  Also a customer might, because of security reasons want to limit the urls redirected.  Therefore the configuration is to be discussed and implemented together with the network and security experts from the customer.

The recommended deployment option for SAP Gateway is to use a separate server (aka central hub deployment), see http://go.sap.com/documents/2016/06/e8e53e50-767c-0010-82c7-eda71af511fa.html#  .  However it is also possible to deploy the SAP Gateway on the backend system (aka embedded deployment) In this case a reverse proxy is technically not needed but preferred for security reasons.

Note that earlier releases like SAP Suite on Hana, SFIN 1.0 and SFIN 2.0 need a different configuration.  In this case some urls need to be redirected directly to the SAP Hana Database. This is not the case anymore in S/4H.  http://help.sap.com/saphelp_hba/helpdata/en/5e/9d0c52bcc19b33e10000000a44538d/content.htm?frameset=/...

Some further related information:

The S/4HANA Fiori Foundation Configuration (MAA) also describes the Web Dispatcher installation and more.  https://blogs.sap.com/2016/11/11/fiori-for-s4hana-getting-started-with-documentation/

Fiori frontend architecture when working with multiple clients in the backend.  https://blogs.sap.com/2016/10/11/configure-fiori-multi-clients/

Hope this information provides some insight and can help in your next S/4HANA implementation project!

Best regards,

Hannes Defloo

S/4HANA RIG team

11 Comments
MarkGoovaerts
Discoverer
‎12-08-2016 2:18 PM
0 Kudos
Hi Hannes,

Very nice overview ! Simple explanation and well documented.

I actually have one extra question. In the scheme I only see HTTPS between the SAP Webdispatcher (or another reverse proxy). I suppose this is not an obligation and you can also setup this traffic with HTTP ?

Kind regards,

Mark
hannes_defloo
Advisor
Advisor
‎12-08-2016 4:11 PM

Thanks for your comment Mark!

HTTPS is no technical obligation but ofcourse highly recommended, otherwise all traffic including usernames and passwords, is just sent over the network in clear text!

Hannes

 

vignesh_kamath
Explorer
‎12-12-2016 5:25 AM
Excellent Article, the same routing can also be used for any Load Balancer or ThirdParty reverse proxies.
Former Member
‎06-09-2017 9:02 PM
0 Kudos
Hi Hannes,

 

Thanks for the informative article. Could you pls tell if webdispatcher is must for jam integration?
chiwo_lee
Explorer
‎08-09-2017 4:28 AM
0 Kudos
Hello Hannes,

Thanks for the article. Based on your writing, I found that the URL /sap/bc/bsp is actually missing from the MAA_NWG20_BB_ConfigGuide_EN_XX Fiori Foundation configuration guide.

I truly like your mapping table and the explanations inside !

Regards,

Chiwo

 
former_member264006
Member
‎09-24-2017 9:03 PM
0 Kudos
Adding wdisp backend entry seems to allow direct URL from webdispatcher to backend (for more than just "search").  What is mechanism that forces call to backend (e.g. /sap/bc/gui) to use frontend authentication and not just end up depending on backend authentication?
former_member615507
Explorer
‎02-17-2021 8:38 AM
0 Kudos
Hi Hannes,

thank you very much for the very well described overview and conceptual outline.

You have described the reasons why the SAP Web Dispatcher should still be used in the landscape despite embedded deployment.

Does it have to be SAP Web Dispatcher as a product or can external reverse proxies also be used without restrictions?

Thank you!

Best regards
Ümüt
hannes_defloo
Advisor
Advisor
‎02-17-2021 8:38 PM
Hi Umut,

It can also be a 3rd party reverse proxy for most scenarios.

Only the CoPilot used a proprietary coding for authentication, but not sure if this will also be the case with CAI, which is planned to support S/4HANA on-premise backend systems later this year.

Regards, Hannes
former_member615507
Explorer
‎02-19-2021 9:27 AM
0 Kudos
Thank you Hannes. I would like to ask you one more question.

Is it only technically possible to use 3rd party products or is it also supported by SAP when you use 3rd party products reverse proxies?
sarvjeettripathi
Explorer
‎12-08-2021 2:10 PM
0 Kudos
excellent Read.
former_member189774
Participant
‎02-03-2022 7:38 PM
0 Kudos
Hello,

great reference and explanation. I just finished installing S/4HANA on SLES 15, with HA using Pacemaker. I set up logon group, both ASCS and ERS are on separate servers, with failover config. That HANA database is using System Replication. Question is, how to use/configure Webdispatcher and/or Gateway, for Fiori users to be able to use the system when one of the application servers fails. It says in your article it is needed for load balancing.

Thank you.
Labels in this area
Popular Blog Posts