SAP Web Dispatcher – custom logging
In one of our previous blogs, we shared some general guidelines for the implementation of secure HTTP (HTTPS). We also suggested to build an information base to identify potential problems for future HTTPS implementations or changes. In this blog, we shortly zoom in on how this can be done for a common component in an SAP landscape: the SAP Web Dispatcher.
SAP Web Dispatcher
The SAP Web Dispatcher is a technical component that can be used as an entry point for HTTP(S) requests to backend systems. It acts as a reverse proxy, can be setup for multiple backend systems of different types and can provide load balancing and a range of other (security related) functionalities. It is highly scalable and is widely implemented in SAP landscapes. The SAP Web Dispatcher typically handles a lot of inbound connections and often forms a central if not crucial component for HTTP(S) communication.
So far, this is well known by most SAP technical experts and the majority of configuration steps to setup connectivity are well documented. What is not so clear though, is the state of connectivity during runtime. The Web Dispatcher provides some statistics on backend connections and response times etc. But what the Web Dispatcher does NOT offer sufficiently, is a clear, comprehensive overview that shows what connectivity has been initiated over time. Combined with useful HTTP and request characteristics.
Such an overview has great added value because it gives insight in the past and current status of connectivity, what changes may be required in the future and what impact changes may have.
Setup custom logging
To get the information required, additional logging can be setup on the Web Dispatcher. Since the
Web Dispatcher is based on the SAP Internet Communication Manager (ICM) it can use many of its features. One of which is logging parameter ‘icm/HTTP/logging_<xx>’. This parameter is used to define a log file configuration with a particular log format that is constructed using several possible parameters. See SAP help for additional information. Interestingly, there is a specific set of parameters for TLS related information. Also see SAP note 2379540.
To be concrete, the following is an example of parameters to use for logging of connections and TLS related information:
icm/HTTP/logging_1 = PREFIX=/,LOGFILE=tls_inbound-%y-%m-%d.log%z,LOGFORMAT=%t %a %w1 %w2 %j %y1 %y2 %y4 %y5 %y6,MAXSIZEKB=500000,SWITCHTF=day
This will create a log file ‘tls_inbound’ with a date-time stamp in the work directory of the Web Dispatcher and log the following information:
%t: Time specification in CLF format
%a: IP address of the remote host
%w1: SID of the back-end system (from wdisp/system) to which an HTTP request was sent.
%w2: Instance of the back-end system to which an HTTP request was sent.
%j: Log: HTTP or HTTPS
%y1: TLS protocol version
%y2: TLS cipher suite as a string
%y4: Subject name of the X.509 certificate of the peer if the client sent a certificate.
%y5: Result of the Application Layer Protocol Negotiation (ALPN)
%y6 Client specifies the host name if TLS Extension Server Name Indication (SNI) is used.
The log file can be examined via the Web Dispatcher administration page, HTTP Handler, Access Log. Select the correct log file:
Via Logfile Contents, the contents of the file can be viewed or downloaded. Example:
As shown above, all connections are logged including source, target and relevant TLS information. This can be used for further analysis. Example analysis questions are:
- What is the ratio of HTTP vs HTTPS usage (if used at all)?
- What applications should/can be changed to use HTTPS?
- What connections are impacted when moving to TLS 1.2 only or adjusting cipher suite configuration?
The log file can also be downloaded and analysed further (Microsoft Excel or other tools) to create insights based on certain dates/times etc.
- Since Web Dispatcher version 7.81 and 7.85, a default logging configuration using parameter ‘icm/HTTP/logging’ is active that logs request information. This default configuration does NOT log all TLS related information (example: used cipher suite).
- As an alternative to the above description of a separate log file, the default configuration can also be adjusted with the mentioned parameters to log everything in 1 file.
- Other components that used the ICM can be setup with similar logging configuration, like SAP ABAP and Java instances. Including separate logging for client connectivity, using parameter ‘icm/HTTP/logging_client_<xx>’.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Try out Protect4S for 1 month for free or request a demo!